lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20080616004118.43ccf7cd.aluigi@autistici.org>
Date: Mon, 16 Jun 2008 00:41:18 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, full-disclosure@...ts.grok.org.uk,
	packet@...ketstormsecurity.org, cert@...t.org, news@...uriteam.com
Subject: Informations disclosure in Crysis 1.21


#######################################################################

                             Luigi Auriemma

Application:  Crysis
              http://www.ea.com/crysis/home.jsp
Versions:     <= 1.21 (1.1.1.6156 showed as gamever)
Platforms:    Windows
Bug:          informations disclosure
Exploitation: remote versus both clients and servers
Date:         15 Jun 2008
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Crysis is a recent FPS game developed by Crytek (http://www.crytek.com)
and released at November 2007.
This game is well known for being a "computer killer" due to its high
hardware requirements but also for having various problems with
cheaters.


#######################################################################

======
2) Bug
======


Crysis is affected by a strange design error which consists in
appending various internal network informations in its disconnect and
error packets.

For example, if we send a keyexchange packet (0x8c) without having sent
the previous join packet (0x07) the server will reply with a
disconnect packet (0x08) containing a "KeyExchange1 with no connection"
error message followed by usually 16 lines of internal logs which
include various real-time informations like IP addresses, nicknames and
status of the clients (which so can be disconnected through spoofed
disconnect packets), details about PunkBuster like paths, screenshosts,
bans, checks and GUIDs of the players, status of the Gamespy SDK
(stats, failed cdkey checks, communication with the master server and
so on) and other plus or less sensitive informations.

Naturally this problem affects both servers and clients so is possible
to see also the real-time network logs of any client which is playing
on a server since both the IP and the port are visible in its logs in
some moments.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/crysislog.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ