SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Hired Team Vendors:   New Media Generation
Hired Team: Trial Format String Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012238
SecurityTracker URL:  http://securitytracker.com/id/1012238
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 15 2004
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 2.0 / 2.200 and prior versions
Description:   Luigi Auriemma reported several vulnerabilities in the 'Hired Team: Trial' game software. A remote user can interrupt games or cause the game service to crash. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can join a game and then send a specially crafted message containing format string characters to cause the target game service to crash or potentially execute arbitrary code.

It is also reported that a remote user can send data to one of the server-assigned UDP ports on the target server to cause the match to be interrupted.

It is also reported that a remote user can invoke the status command to cause the target game service to crash.

The report indicates that the flaws may reside in the Shine engine (which the game is based on), but that no other games were tested, so it cannot be confirmed as to whether the flaws exist in the Shine engine or the Hired Team game software.

Impact:   A remote user can cause the target game service to crash.

A remote user may be able to execute arbitrary code on the target user's system.

A remote user can interrupt game matches.

Solution:   No solution was available at the time of this entry.
Vendor URL:  eng.nmg.ru/rubrs.asp?rubr_id=165 (Links to External Site)
Cause:   Exception handling error, Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Multiple vulnerabilities in Hired Team: Trial (Shine engine)



#######################################################################

                             Luigi Auriemma

Application:  Hired Team: Trial
               http://eng.nmg.ru/rubrs.asp?rubr_id=165
              and probably also the Shine engine on which it is based
               http://www.3dengine.ru/index.asp?id=4
Versions:     Hired Team <= 2.0 / 2.200
              (since this is the only game based on the Shine engine
              and I have received no reply from the vendor I cannot
              confirm if the entire engine and what versions are
              vulnerable)
Platforms:    Windows
Bugs:         A] in-game format string
              B] match interruption through malformed packet
              C] status and kick problems
Exploitation: remote
              A] versus server (in-game)
              B] versus server
              C] versus server and players (in-game)
Date:         15 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Hired Team is a nice FPS game developed by New Media Generation
(http://eng.nmg.ru) and released at the end of the year 2000.
It seems to be the only game based on the Shine engine (created by the
same developers) so I cannot compare the bugs found in this game with
other games created with the same engine to know their "real nature"
and if the engine has been modified from the 2001 till now.


#######################################################################

=======
2) Bugs
=======

------------------------
A] in-game format string
------------------------

The game is affected by a format string bug located in the game
console. That lets an attacker to join a server (that doesn't have
password support, so anyone can enter in it) and crash it or execute
malicious code simply sending a message containing the formatted
arguments (like the classical %n%n%n).


----------------------------------------------
B] match interruption through malformed packet
----------------------------------------------

Each time a new player joins, the server assigns an UDP port to him
(usually the sequential ports after the server's one, by default
29199).
If the server receives a packet containing unexpected data to one of
these data ports, the match will be interrupted immediately.


---------------------------
C] status and kick problems
---------------------------

During the testing of this game/engine I found also that if a client
uses the status command, the server crash immediately.
The other strange thing is that any player can kick the others (admin
included) without limits.


#######################################################################

===========
3) The Code
===========

------------------------
A] in-game format string
------------------------

Launch a server and a client, join the server and use the console by
pressing the ~ key. Then type:

  say %n%n%n

the server will crash immediately. A more simple and fast test is the
following: launch the game, select Console from the main menu and type
%x. You will see a message like: Unknown command "1015c888"


----------------------------------------------
B] match interruption through malformed packet
----------------------------------------------

Send a packet to the UDP port 29200 of the server (or 29220 if you are
testing the demo, it is the data port usually assigned to the admin)
containing any data you want, like hello, asdf or any other type of
data.


---------------------------
C] status and kick problems
---------------------------

When you (client) are into the server, from the console type:

  status

to crash the server or

  kick NAME

where NAME is the name of the player you want to kick.


#######################################################################

======
4) Fix
======


No fix.
The vendor has not replied to my mails. Probably the Shine engine and
Hired Team: Trial are no longer supported.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC