|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3196 CVE : CVE-2007-5248 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : Yes Exploit Available : Yes Credit : Luigi Auriemma Published : 06.10.2007
Advisory Content : ####################################################################### Luigi Auriemma Application: Doom 3 engine Games: Doom 3 (http://www.doom3.com) <= 1.3.1 Quake 4 (http://www.quake4game.com) <= 1.4.2 Prey (http://www.prey.com) <= 1.3 Enemy Territory: Quake Wars NOT VULNERABLE Platforms: Windows, Linux and Mac Bug: format string Exploitation: remote, versus servers with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Doom 3 engine (formerly known as id Tech 4) is the latest version of the famous game engine developed by ID Software (http://www.idsoftware.com) and used in some recent games: http://en.wikipedia.org/wiki/Id_Tech_4 ####################################################################### ====== 2) Bug ====== The function which visualizes the strings on the game's console is vulnerable to a format string vulnerability, something similar to snprintf(buff, 1024, string); Usually this is not a problem since the engine uses some functions and tricks to avoid the visualization of the % char like dropping it or inserting a space between it and the subsequent char. But there is a way for bypassing this limitation with also the better advantages of doing it anonymously and with only one single spoofable UDP packet: Punkbuster. When Punkbuster is active on a server (practically almost all the public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Doom 3 engine and affects both dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is used only as a "way" for reaching a zone of the code otherwise unexploitable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/d3engfspb.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |