[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Quake 2 Lithium Mod V 1.24 Macro Expansion Vuln?
From: nukemmeister () gmail ! com
Date: 2005-08-25 19:40:48
Message-ID: 20050825194048.7709.qmail () securityfocus ! com
[Download RAW message or body]
Well I ran quake 2 (using Lithium mod V 1.24) under OllyDBG and it seems that the
lithium II mod for quake 2 (latest PATCH 3.20) is parsing the '%' in
nicks. My well crafted nickname '%999f%f%f%f%f' is being pushed onto
the stack as
004144A1 |. 68 E821AF00 PUSH QUAKE2.00AF21E8 ;
ASCII "0.000000 0.000000 0.000000"
A huge real number. This expansion seems to be causing a stack
overflow. I ran it on my test server and sure enough it crashes. I'm currently \
working on code executing and the ability to read any memory address.
I contacted the creator of Lithium mod II , he still hasn't returned my emails.
I found that any 'percent' in the nick is interpreted as 0.0000 you
can use various combo's such as %d for int %c for a char. This is
telling me that it's a format string vulnerability.
This only works on lithium quake 2 server. It's manifested in the
latest release V 1.24. Probably affects prior versions also.
I am currently Reverse Engineering the mod to Get more info on this. Probably gonna \
take a while cause I'm at my mom's house with 8 people and one computer ;p
The vuln lies in the code that updates the score (frags) when you die, the overflow \
will manifest. I will write a more detailed explanation on this after I finish RE'ing \
it.
Regards, SinNULL
More info on the vuln will be posted shortly. When I find some allocated time to work \
with.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic