Vietcong 2 Format String

2009-08-24 / 2009-08-25
Credit: null
Risk: High
Local: No
Remote: Yes
CWE: CWE-134


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Luigi Auriemma Application: Vietcong 2 http://www.2kgames.com/vietcong2/ (Vietcong 1 is not vulnerable because doesn't use the vulnerable function) Versions: <= 1.10 Platforms: Windows Bug: format string Exploitation: remote, versus server (in-game) Date: 12 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org 1) Introduction 2) Bug 3) The Code 4) Fix =============== 1) Introduction =============== Vietcong 2 is a well known FPS game developed by Pterodon (http://www.pterodon.com) using their Ptero-Engine III and released at the end of 2005. ########## ====== 2) Bug ====== Vietcong 2 uses a function called CNS_AddTxt exporteded by logs.dll for the building of some strings which are then displayed on the screen or written in the log files. CNS_AddTxt makes use of sprintf with an output buffer of 1024 bytes and in various occasions it's called without the needed format argument. For example that happens when a player joins the server and is called the CNS_AddTxtSysTime function which adds a timestamp to the input string and then passes it directly to CNS_AddTxt with a possible risk of code execution if the bug is exploited by an attacker. ########## =========== 3) The Code =========== Set a nickname like %s%s%s%n%n%n and join the server. Optionally is possible to use the following quick proof-of-concept: http://aluigi.org/poc/vietcong2fs.zip It's also possible to test the bug locally simply typing that nickname in the server or client console where CNS_AddTxt will be called with the string " [0]error: '%s%s%s%n%n%n' undefined command.". ########## ====== 4) Fix ====== No fix. ##########

References:

http://xforce.iss.net/xforce/xfdb/52422
http://secunia.com/advisories/36301
http://osvdb.org/57002
http://aluigi.altervista.org/adv/vietcong2fs-adv.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top