Luigi Auriemma
Application: Vietcong 2
http://www.2kgames.com/vietcong2/
(Vietcong 1 is not vulnerable because doesn't use the
vulnerable function)
Versions: <= 1.10
Platforms: Windows
Bug: format string
Exploitation: remote, versus server (in-game)
Date: 12 Aug 2009
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Vietcong 2 is a well known FPS game developed by Pterodon
(http://www.pterodon.com) using their Ptero-Engine III and released at
the end of 2005.
##########
======
2) Bug
======
Vietcong 2 uses a function called CNS_AddTxt exporteded by logs.dll for
the building of some strings which are then displayed on the screen or
written in the log files.
CNS_AddTxt makes use of sprintf with an output buffer of 1024 bytes and
in various occasions it's called without the needed format argument.
For example that happens when a player joins the server and is called
the CNS_AddTxtSysTime function which adds a timestamp to the input
string and then passes it directly to CNS_AddTxt with a possible risk
of code execution if the bug is exploited by an attacker.
##########
===========
3) The Code
===========
Set a nickname like %s%s%s%n%n%n and join the server.
Optionally is possible to use the following quick proof-of-concept:
http://aluigi.org/poc/vietcong2fs.zip
It's also possible to test the bug locally simply typing that nickname
in the server or client console where CNS_AddTxt will be called with
the string " [0]error: '%s%s%s%n%n%n' undefined command.".
##########
======
4) Fix
======
No fix.
##########