SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   LithTech Engine Vendors:   LithTech, Inc.
LithTech Engine Format String Bug Lets Remote Users Crash the Game Server
SecurityTracker Alert ID:  1012098
SecurityTracker URL:  http://securitytracker.com/id/1012098
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2004
Impact:   Denial of service via network
Exploit Included:  Yes  

Description:   Luigi Auriemma reported a format string vulnerability in the LithTech Engine, used by many game software titles. A remote user can cause the game server to crash.

The method required to trigger the format string flaw may vary, depending on the game software using the engine. In some cases, authentication is required.

A remote user may be able to send a nickname or other message contain format string specifiers (e.g., '%n%n%n') to trigger the flaw and, in some cases, cause the target game service to crash.

Many games are affected, including the following:

Alien vs Predator 2 <= 1.0.9.6
Blood 2 <= 2.1
Contract Jack <= 1.1
Global Operations <= 2.0/2.1
Kiss Psycho Circus <= 1.13
Legends of Might and Magic <= 1.1
No one lives forever <= 1.004
No one lives forever 2 <= 1.3
Purge Jihad <= 2.2.1
Sanity <= 1.0?
Shogo <= 2.2
Tron 2.0 <= 1.042

Impact:   A remote user can cause the target game server to crash.
Solution:   No solution was available at the time of this entry.

Of the affected games, Pure Jihad has implemented a fix in version 2.2.2.

Vendor URL:  www.lithtech.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  In-game format string bug in the Lithtech engine



#######################################################################

                             Luigi Auriemma

Application:  Lithtech engine
              http://www.lithtech.com
Games:        Alien vs Predator 2                            <= 1.0.9.6
              Blood 2                                            <= 2.1
              Contract Jack                                      <= 1.1
              Global Operations                              <= 2.0/2.1
              Kiss Psycho Circus                                <= 1.13
              Legends of Might and Magic                         <= 1.1
              No one lives forever                             <= 1.004
              No one lives forever 2                             <= 1.3
              Purge Jihad                                      <= 2.2.1
              Sanity                                            <= 1.0?
              Shogo                                              <= 2.2
              Tron 2.0                                         <= 1.042
              others...
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server (in-game)
Date:         05 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Lithtech is the famous game engine developed by Monolith
(http://www.lith.com) and used by many games.


#######################################################################

======
2) Bug
======


The Lithtech engine (any version) is affected by some format string
bugs.
Exploiting these bugs "depends by the game" however the most easy and
common method is through the sending of messages or the usage of a
nickname containing the format arguments (like the classical %n%n%n).

The only exceptions in the usage of these 2 methods are that in some
games the nickname method causes the crash of the same attacker while
in others (just a couple of games) the message method works only when
the server is dedicated.

This is an in-game bug so the attacker needs to enter in the server (if
it is protected by password, he must know the correct keyword).


#######################################################################

===========
3) The Code
===========


Launch the server and send a message containing %n%n%n.
The server should crash immediately.
For a better test is preferable to join with a client and send the same
message or (if fails) use a nickname with the same text.


#######################################################################

======
4) Fix
======


No fix.
Monolith is unreacheable, after tons of mails sent for over one month I
have received no reply.

The only game actually patched is Purge Jihad from version 2.2.2, only
because I know the developers and so I have been able to alert them and
they have fixed the bug filtering the client's data.
The "filtering" solution could be used also by other developers if the
engine will not be fixed by Monolith.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC