Format string in F.E.A.R. 1.08 through PB

2007.10.08
Risk: High
Local: Yes
Remote: No
CWE: CWE-134


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

####################################################################### Luigi Auriemma Application: F.E.A.R. (First Encounter Assault Recon) http://www.whatisfear.com Versions: <= 1.08 Platforms: Windows and Linux Bug: format string Exploitation: remote, versus server with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== F.E.A.R. is the most recent FPS game developed by Monolith (http://www.lith.com). ####################################################################### ====== 2) Bug ====== This bug is nothing new moreover considering that it's public from the far 2004 when this game was still a beta: http://aluigi.org/adv/lithfs-adv.txt What changes this time is the type of exploitation and the derived advantages since now the attack is completely anonymous from outside the server using only one UDP packet. When Punkbuster is enabled on a server (true for many public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Lithtech engine and NOT in Punkbuster which is used only as a "way" for exploiting it. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/fearfspb.zip ####################################################################### ====== 4) Fix ====== No fix. The bug has been never "really" patched although it's public from 3 years. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top