lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20041105180452.5793f821.aluigi@autistici.org>
From: aluigi at autistici.org (Luigi Auriemma)
Subject: In-game format string bug in the Lithtech engine

#######################################################################

                             Luigi Auriemma

Application:  Lithtech engine
              http://www.lithtech.com
Games:        Alien vs Predator 2                            <= 1.0.9.6
              Blood 2                                            <= 2.1
              Contract Jack                                      <= 1.1
              Global Operations                              <= 2.0/2.1
              Kiss Psycho Circus                                <= 1.13
              Legends of Might and Magic                         <= 1.1
              No one lives forever                             <= 1.004
              No one lives forever 2                             <= 1.3
              Purge Jihad                                      <= 2.2.1
              Sanity                                            <= 1.0?
              Shogo                                              <= 2.2
              Tron 2.0                                         <= 1.042
              others...
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server (in-game)
Date:         05 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Lithtech is the famous game engine developed by Monolith
(http://www.lith.com) and used by many games.


#######################################################################

======
2) Bug
======


The Lithtech engine (any version) is affected by some format string
bugs.
Exploiting these bugs "depends by the game" however the most easy and
common method is through the sending of messages or the usage of a
nickname containing the format arguments (like the classical %n%n%n).

The only exceptions in the usage of these 2 methods are that in some
games the nickname method causes the crash of the same attacker while
in others (just a couple of games) the message method works only when
the server is dedicated.

This is an in-game bug so the attacker needs to enter in the server (if
it is protected by password, he must know the correct keyword).


#######################################################################

===========
3) The Code
===========


Launch the server and send a message containing %n%n%n.
The server should crash immediately.
For a better test is preferable to join with a client and send the same
message or (if fails) use a nickname with the same text.


#######################################################################

======
4) Fix
======


No fix.
Monolith is unreacheable, after tons of mails sent for over one month I
have received no reply.

The only game actually patched is Purge Jihad from version 2.2.2, only
because I know the developers and so I have been able to alert them and
they have fixed the bug filtering the client's data.
The "filtering" solution could be used also by other developers if the
engine will not be fixed by Monolith.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ