Multiple vulnerabilities in Liero Xtreme 0.62b

2006.03.07
Risk: Medium
Local: Yes
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Liero Xtreme http://lieroxtreme.thegaminguniverse.com Versions: <= 0.62b Platforms: Windows Bugs: A] server crash/freeze B] format string in the visualization function Exploitation: A] remote, versus server B] local/remote, versus clients Date: 06 Mar 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Liero Xtreme (aka Lierox) is a freeware clone of the classic DOS game called Liero, and is mainly focused on the possibility of expanding and customizing the game through mods, levels and skins. Both LAN and Internet multiplayer (through the master server) are supported. ####################################################################### ======= 2) Bugs ======= ---------------------- A] server crash/freeze ---------------------- The server can be easily crashed or freezed using a long string with the "connect" command. The problem is caused by the instructions used by the game for handling the data of this command which in some cases lead to the immediate crash of the server or a loop which freezes the game. ---------------------------------------------- B] format string in the visualization function ---------------------------------------------- The client's function which visualizes the messages on the screen (0x004052d0) is affected by a format string vulnerability which can be used to execute malicious code. Exist different ways for exploiting this bug but the most interesting are the following: - joining a server using a properly formatted nickname (like %n%n%n%n or %02000x) which will be visualized by all the clients currently in the server and all the others which will join when the attacker is playing. In this type of exploitaion if the server is protected by password the attacker must know the right keyword. - hosting a dedicated server visible on the master server (default) with a formatted name, so any client which will enter in the "Join Internet Server" menu will be exploited immediately. - creating a level file (.lxl extension) with a properly formatted mapname. Due to the leaning of the game for modding this exploitation is very good too. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/lieroxxx.zip For the bug B my proof-of-concept exploits only the first method I have explained, for the other two is enough to: - open the configconfig.cfg file and add %03000x where is specified the server's name (Server.Name) and then launch the dedicated server - take the "userdatalevelsDirt Level.lxl" file and overwrite the bytes at offset 36 with the string %03000x ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top