what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

aa2k7x.txt

aa2k7x.txt
Posted Sep 6, 2007
Authored by Luigi Auriemma | Site aluigi.org

Alien Arena 2007 versions 6.10 and below suffers from format string and spoofing vulnerabilities.

tags | advisory, spoof, vulnerability
SHA-256 | 0b90b11ae59dc5f5ab856a67f3fdea7c517921c1c8c1880e96c20073026919b5

aa2k7x.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Alien Arena 2007
http://red.planetarena.org
Versions: <= 6.10 and current SVN
Platforms: Windows and Linux
Bugs: A] in-game format string in safe_bprintf
B] clients disconnection through spoofed client_connect
Exploitation: A] remote versus server
B] remote versus clients
Date: 05 Sep 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Alien Arena 2007 is an open source FPS game developed by COR
Entertainment (alias John "Irritant" Diamond) and based on the GPL code
of the Quake 2 engine.


#######################################################################

=======
2) Bugs
=======

----------------------------------------
A] in-game format string in safe_bprintf
----------------------------------------

A format string vulnerability is located in the safe_bprintf function
caused by the usage of cprintf without the needed format argument.
The bug can be exploited in-game (so with the usual possible password
and banning limitations) using a malformed nickname:

from game/acesrc/acebot_cmds.c:

void safe_bprintf (int printlevel, char *fmt, ...)
{
int i;
char bigbuffer[0x10000];
int len;
va_list argptr;
edict_t *cl_ent;

va_start (argptr,fmt);
len = vsprintf (bigbuffer,fmt,argptr);
va_end (argptr);

if (dedicated->value)
gi.cprintf(NULL, printlevel, bigbuffer);

for (i=0 ; i<maxclients->value ; i++)
{
cl_ent = g_edicts + 1 + i;
if (!cl_ent->inuse || cl_ent->is_bot)
continue;

gi.cprintf(cl_ent, printlevel, bigbuffer);
}
}


-------------------------------------------------------
B] clients disconnection through spoofed client_connect
-------------------------------------------------------

When queried the game server returns many informations included the
list of players which are currently playing and their IP addresses too.
Although the Quake 2 protocol isn't prone to spoofing attacks
(differently to what happens with Quake 3 and the disconnect packet)
here is possible to block and disconnect all the clients which are
playing on the server simply using the "client_connect" command.

So an attacker needs only to query the server, getting the list of
IP:port of the players and sending this command to them using the IP
and the port of the server as source.
The client will be no longer able to move or send commands in the
server and after some minutes it will time out, until this moment it
cannot rejoin the same server.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/aa2k7x.zip


#######################################################################

======
4) Fix
======


No fix.
The developer has not been contacted because he is too stupid for
understanding a bug report:

http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close