Luigi Auriemma

Application:  Vietcong 2
              http://www.2kgames.com/vietcong2/
              (Vietcong 1 is not vulnerable because doesn't use the
              vulnerable function)
Versions:     <= 1.10
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server (in-game)
Date:         12 Aug 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


1) Introduction
2) Bug
3) The Code
4) Fix

===============
1) Introduction
===============

Vietcong 2 is a well known FPS game developed by Pterodon
(http://www.pterodon.com) using their Ptero-Engine III and released at
the end of 2005.

##########

======
2) Bug
======
Vietcong 2 uses a function called CNS_AddTxt exporteded by logs.dll for
the building of some strings which are then displayed on the screen or
written in the log files.

CNS_AddTxt makes use of sprintf with an output buffer of 1024 bytes and
in various occasions it's called without the needed format argument.

For example that happens when a player joins the server and is called
the CNS_AddTxtSysTime function which adds a timestamp to the input
string and then passes it directly to CNS_AddTxt with a possible risk
of code execution if the bug is exploited by an attacker.

##########

===========
3) The Code
===========
Set a nickname like %s%s%s%n%n%n and join the server.

Optionally is possible to use the following quick proof-of-concept:
  http://aluigi.org/poc/vietcong2fs.zip

It's also possible to test the bug locally simply typing that nickname
in the server or client console where CNS_AddTxt will be called with
the string "  [0]error: '%s%s%s%n%n%n' undefined command.".

##########

======
4) Fix
======

No fix.
##########