####################################################################### Luigi Auriemma Applications: Call of Duty <= 1.5b Call of Duty: United Offensive <= 1.51b Call of Duty 2 1.0 http://www.callofduty.com Platforms: Windows and old Linux versions (Mac has not been tested but should be affected too) Bug: crash (handled buffer-overflow) Exploitation: remote, versus server (in-game) Date: 02 Apr 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Call of Duty and its expansion pack United Offensive are the famous military FPS games developed by Infinity Ward (http://www.infinityward.com) and Gray Matter Studios (http://www.gmistudios.com) and published by Activision (http://www.activision.com). The games have been released respectively in October 2003 and September 2004. ####################################################################### ====== 2) Bug ====== The game server is affected by a problem in the building of the commands to visualize the clients messages. If the message is too long and the generated command is longer than 1024 chars the server shows the dialog box of the exception handler with a warning about a possible buffer-overflow and naturally the match terminates. This sprintf() buffer-overflow cannot be exploited because, as said before, it is correctly handled by the exception handled and also because each client string is dropped if longer than 1024 bytes. This is an in-game bug so the attacker must have access to the server, if it's protected by password he must know the keyword and then his cd-key can be banned since CoD servers use the online authorization. ####################################################################### =========== 3) The Code =========== - download the following file: http://aluigi.org/poc/codmsgboom.cfg - place it in the base folder of the game: main or uo - start a client and a server - join the server - go into the client console (~ key) - type: /exec codmsgboom - the server will crash showing an error ####################################################################### ====== 4) Fix ====== No fix. Developers have not been contacted since already exists another unpatched bug from over one month (infostring overflow) and is more easy to exploit than this Windows-only problem where attackers can be banned and tracked. 23 Jul 2005: I have written a simple patch that requires the modification of only one byte. That is possible limiting the allowed client strings to less than 1024, like about 896 bytes (we need to calculated the maximum visualized string that includes also the client nickname and other parameters!): http://aluigi.org/patches/codmsgfix.lpatch #######################################################################