Luigi Auriemma Application: Vietcong 2 http://www.2kgames.com/vietcong2/ (Vietcong 1 is not vulnerable because doesn't use the vulnerable function) Versions: <= 1.10 Platforms: Windows Bug: format string Exploitation: remote, versus server (in-game) Date: 12 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org 1) Introduction 2) Bug 3) The Code 4) Fix =============== 1) Introduction =============== Vietcong 2 is a well known FPS game developed by Pterodon (http://www.pterodon.com) using their Ptero-Engine III and released at the end of 2005. ########## ====== 2) Bug ====== Vietcong 2 uses a function called CNS_AddTxt exporteded by logs.dll for the building of some strings which are then displayed on the screen or written in the log files. CNS_AddTxt makes use of sprintf with an output buffer of 1024 bytes and in various occasions it's called without the needed format argument. For example that happens when a player joins the server and is called the CNS_AddTxtSysTime function which adds a timestamp to the input string and then passes it directly to CNS_AddTxt with a possible risk of code execution if the bug is exploited by an attacker. ########## =========== 3) The Code =========== Set a nickname like %s%s%s%n%n%n and join the server. Optionally is possible to use the following quick proof-of-concept: http://aluigi.org/poc/vietcong2fs.zip It's also possible to test the bug locally simply typing that nickname in the server or client console where CNS_AddTxt will be called with the string " [0]error: '%s%s%s%n%n%n' undefined command.". ########## ====== 4) Fix ====== No fix. ##########