|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3858 CVE : CVE-2008-2106 SecurityRisk : Low  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Luigi Auriemma Published : 07.05.2008
Advisory Content : ####################################################################### Luigi Auriemma Application: Call of Duty 4: Modern Warfare http://www.callofduty.com Versions: <= 1.5 Platforms: Windows (tested) and Linux Bug: Denial of Service Exploitation: remote, versus server (in-game) Date: 02 May 2008 Thanx to: Chronos for the additional tests Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Call of Duty 4 (CoD4) is the most recent and played game of the homonym series created by Infinity Ward (http://www.infinityward.com) with over 15000 internet servers. ####################################################################### ====== 2) Bug ====== In CoD4 has been introduced a new type of connectionless command (like getinfo, getstatus, connect and so on) called "stats" that seems related to player statistics and can be of 6 types which are sent by the client in sequential order just after having joined the remote game. Exists an additional type (7) which is accepted by the server and if a client uses it the remote server will crash due to a memcpy() with a negative size value (the attacker has no control over the source data and this value). The stats packet requires that the client is in the server since the qport value specified in it and both IP and port must match those used by the player, so the attacker must know the password if the server is protected, being not banned and moreover having a valid cdkey if the internet server requires it. ####################################################################### =========== 3) The Code =========== - plugin for the sudppipe proxy which modifies any stats packet enabling type 7: http://aluigi.org/mytoolz/sudppipe.zip http://aluigi.org/poc/cod4statz_sudp.zip Usage example: sudppipe -l cod4statz_sudp.dll SERVER PORT 20000 then from the CoD4 client type: connect 127.0.0.1:20000 the plugin does a very simple job, when a "stats" packet is received it places the 0x07 byte at offset 12. - stand-alone proof-of-concept which works versus servers without authorization (like LAN servers) for quickly testing the own servers without the need of using a CoD4 client: http://aluigi.org/poc/cod4statz.zip ####################################################################### ====== 4) Fix ====== No fix ####################################################################### --- Luigi Auriemma http://aluigi.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |