Hired Team: Trial versions 2.0/2.200 and below suffer from format string, malformed packet, and status/kick remote vulnerability flaws.
48d0de0d8b027316b2b64bb516c71819b83ddb7fbf4b158332b44601757163cf
#######################################################################
Luigi Auriemma
Application: Hired Team: Trial
http://eng.nmg.ru/rubrs.asp?rubr_id=165
and probably also the Shine engine on which it is based
http://www.3dengine.ru/index.asp?id=4
Versions: Hired Team <= 2.0 / 2.200
(since this is the only game based on the Shine engine
and I have received no reply from the vendor I cannot
confirm if the entire engine and what versions are
vulnerable)
Platforms: Windows
Bugs: A] in-game format string
B] match interruption through malformed packet
C] status and kick problems
Exploitation: remote
A] versus server (in-game)
B] versus server
C] versus server and players (in-game)
Date: 15 November 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Hired Team is a nice FPS game developed by New Media Generation
(http://eng.nmg.ru) and released at the end of the year 2000.
It seems to be the only game based on the Shine engine (created by the
same developers) so I cannot compare the bugs found in this game with
other games created with the same engine to know their "real nature"
and if the engine has been modified from the 2001 till now.
#######################################################################
=======
2) Bugs
=======
------------------------
A] in-game format string
------------------------
The game is affected by a format string bug located in the game
console. That lets an attacker to join a server (that doesn't have
password support, so anyone can enter in it) and crash it or execute
malicious code simply sending a message containing the formatted
arguments (like the classical %n%n%n).
----------------------------------------------
B] match interruption through malformed packet
----------------------------------------------
Each time a new player joins, the server assigns an UDP port to him
(usually the sequential ports after the server's one, by default
29199).
If the server receives a packet containing unexpected data to one of
these data ports, the match will be interrupted immediately.
---------------------------
C] status and kick problems
---------------------------
During the testing of this game/engine I found also that if a client
uses the status command, the server crash immediately.
The other strange thing is that any player can kick the others (admin
included) without limits.
#######################################################################
===========
3) The Code
===========
------------------------
A] in-game format string
------------------------
Launch a server and a client, join the server and use the console by
pressing the ~ key. Then type:
say %n%n%n
the server will crash immediately. A more simple and fast test is the
following: launch the game, select Console from the main menu and type
%x. You will see a message like: Unknown command "1015c888"
----------------------------------------------
B] match interruption through malformed packet
----------------------------------------------
Send a packet to the UDP port 29200 of the server (or 29220 if you are
testing the demo, it is the data port usually assigned to the admin)
containing any data you want, like hello, asdf or any other type of
data.
---------------------------
C] status and kick problems
---------------------------
When you (client) are into the server, from the console type:
status
to crash the server or
kick NAME
where NAME is the name of the player you want to kick.
#######################################################################
======
4) Fix
======
No fix.
The vendor has not replied to my mails. Probably the Shine engine and
Hired Team: Trial are no longer supported.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed