SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   IGI 2 Covert Strike Vendors:   Innerloop Studios
IGI-2 Covert Strike Game Format String Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1009667
SecurityTracker URL:  http://securitytracker.com/id/1009667
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 5 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.3 and prior versions
Description:   Luigi Auriemma reported a format string vulnerability in IGI-2 Covert Strike. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can send a specially crafted RCON command to the target system to trigger the flaw and execute arbitrary code. The vulnerability resides in the RCON logging function, the report said.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/igi2fs.zip

The vendor has reportedly been notified without response.

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.igi2-game.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Format string bug in IGI 2: Covert Strike 1.3


#######################################################################

                              Luigi Auriemma

Application:  IGI 2: Covert Strike
               http://www.igi2-game.com
Versions:     <= 1.3
Platforms:    Windows, Linux
Bug:          format string bug
Risk:         high
Exploitation: remote, versus server
Date:         05 Apr 2004
Author:       Luigi Auriemma
               e-mail: aluigi@altervista.org
               web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


IGI 2 is a game developed by Innerloop (http://www.innerloop.com) and
released in Febrary 2003.
It has been defined by its creators as "a tactical stealth-based FPS
with plenty of tension and action".


#######################################################################

======
2) Bug
======


The IGI 2 server is affected by a format string bug in the logging
function of the RCON commands.
FYI, RCON commands are used by admins to administer their servers
remotely. This function exists in both dedicated and normal servers and
cannot be disabled.

A practical example of the bug "in action" is the following:

- Attacker sends: /hello-%08x.%08x.%08x.%08x
- Server logs:    [17:17:28] Consoled:
'hello-082aeefc.00000131.0061b64c.00000011' run from 192.168.0.3:32768


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/igi2fs.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have not replied to my mails.


#######################################################################


---
Luigi Auriemma
http://aluigi.altervista.org


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC