####################################################################### Luigi Auriemma Application: Alien Arena 2007 http://red.planetarena.org Versions: <= 6.10 and current SVN Platforms: Windows and Linux Bugs: A] in-game format string in safe_bprintf B] clients disconnection through spoofed client_connect Exploitation: A] remote versus server B] remote versus clients Date: 05 Sep 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Alien Arena 2007 is an open source FPS game developed by COR Entertainment (alias John "Irritant" Diamond) and based on the GPL code of the Quake 2 engine. ####################################################################### ======= 2) Bugs ======= ---------------------------------------- A] in-game format string in safe_bprintf ---------------------------------------- A format string vulnerability is located in the safe_bprintf function caused by the usage of cprintf without the needed format argument. The bug can be exploited in-game (so with the usual possible password and banning limitations) using a malformed nickname: from game/acesrc/acebot_cmds.c: void safe_bprintf (int printlevel, char *fmt, ...) { int i; char bigbuffer[0x10000]; int len; va_list argptr; edict_t *cl_ent; va_start (argptr,fmt); len = vsprintf (bigbuffer,fmt,argptr); va_end (argptr); if (dedicated->value) gi.cprintf(NULL, printlevel, bigbuffer); for (i=0 ; ivalue ; i++) { cl_ent = g_edicts + 1 + i; if (!cl_ent->inuse || cl_ent->is_bot) continue; gi.cprintf(cl_ent, printlevel, bigbuffer); } } UPDATE 15 Sep 2007: The safe_cprintf format string bug I found in Alien Arena 2006 over one year ago is still exploitable! ------------------------------------------------------- B] clients disconnection through spoofed client_connect ------------------------------------------------------- When queried the game server returns many informations included the list of players which are currently playing and their IP addresses too. Although the Quake 2 protocol isn't prone to spoofing attacks (differently to what happens with Quake 3 and the disconnect packet) here is possible to block and disconnect all the clients which are playing on the server simply using the "client_connect" command. So an attacker needs only to query the server, getting the list of IP:port of the players and sending this command to them using the IP and the port of the server as source. The client will be no longer able to move or send commands in the server and after some minutes it will time out, until this moment it cannot rejoin the same server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/aa2k7x.zip ####################################################################### ====== 4) Fix ====== No fix. The developer has not been contacted because he is too stupid for understanding a bug report: http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1 mirror here: http://aluigi.org/misc/irritant_quakesrc.htm #######################################################################