#######################################################################

                             Luigi Auriemma

Application:  Lithtech engine
              http://www.lithtech.com
Games:        Alien vs Predator 2                            <= 1.0.9.6
              Blood 2                                            <= 2.1
              Contract Jack                                      <= 1.1
              F.E.A.R.                                          <= 1.02
              Global Operations                              <= 2.0/2.1
              Kiss Psycho Circus                                <= 1.13
              Legends of Might and Magic                         <= 1.1
              No one lives forever                             <= 1.004
              No one lives forever 2                             <= 1.3
              Purge Jihad                                      <= 2.2.1
              Sanity                                            <= 1.0?
              Shogo                                              <= 2.2
              Tron 2.0                                         <= 1.042
              others...
Platforms:    Windows and Mac
Bug:          format string
Exploitation: remote, versus server (in-game)
Date:         05 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Lithtech is the famous game engine developed by Monolith
(http://www.lith.com) and used by many games.


#######################################################################

======
2) Bug
======


The Lithtech engine (any version) is affected by some format string
bugs.
Exploiting these bugs "depends by the game" however the most easy and
common method is through the sending of messages or the usage of a
nickname containing the format arguments (like the classical %n%n%n).

The only exceptions in the usage of these 2 methods are that in some
games the nickname method causes the crash of the same attacker while
in others (just a couple of games) the message method works only when
the server is dedicated.

This is an in-game bug so the attacker needs to enter in the server (if
it is protected by password, he must know the correct keyword).


#######################################################################

===========
3) The Code
===========


Launch the server and send a message containing %n%n%n.
The server should crash immediately.
For a better test is preferable to join with a client and send the same
message or (if fails) use a nickname with the same text.


#######################################################################

======
4) Fix
======


No fix.
Monolith is unreachable, after tons of mails sent for over one month I
have received no reply.

The only game currently patched is Purge Jihad from version 2.2.2, only
because I know the developers and so I have been able to alert them and
they have fixed the bug filtering the client's data.
The "filtering" solution could be used also by other developers if the
engine will not be fixed by Monolith.


#######################################################################