Hosting Provided By

Format string in the Doom 3 engine through PB

From: Luigi Auriemma <aluigi(at)autistici.org>
Date: Mon Oct 01 2007 - 15:31:32 EDT

#######################################################################

                             Luigi Auriemma

Application:  Doom 3 engine
Games:        Doom 3     (
http://www.doom3.com)                <= 1.3.1
              Quake 4    (
http://www.quake4game.com)           <= 1.4.2
              Prey       (
http://www.prey.com)                   <= 1.3
              Enemy Territory: Quake Wars                NOT VULNERABLE
Platforms:    Windows, Linux and Mac
Bug:          format string
Exploitation: remote, versus servers with Punkbuster enabled
Date:         01 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

#######################################################################



1) Introduction
2) Bug

3) The Code
4) Fix

#######################################################################

Introduction

The Doom 3 engine (formerly known as id Tech 4) is the latest version of the famous game engine developed by ID Software (http://www.idsoftware.com) and used in some recent games:

http://en.wikipedia.org/wiki/Id_Tech_4

#######################################################################

2) Bug

The function which visualizes the strings on the game's console is vulnerable to a format string vulnerability, something similar to snprintf(buff, 1024, string);
Usually this is not a problem since the engine uses some functions and tricks to avoid the visualization of the % char like dropping it or inserting a space between it and the subsequent char.

But there is a way for bypassing this limitation with also the better advantages of doing it anonymously and with only one single spoofable UDP packet: Punkbuster.

Do you need help?

When Punkbuster is active on a server (practically almost all the public servers) it visualizes the content of some incoming packets using the game's console.
The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets).

As already said this is a bug in the Doom 3 engine and affects both dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is used only as a "way" for reaching a zone of the code otherwise unexploitable.

#######################################################################

3) The Code

http://aluigi.org/poc/d3engfspb.zip

#######################################################################

4) Fix

No fix.
No reply from the developers.

#######################################################################

---
Luigi Auriemma

http://aluigi.orghttp://forum.aluigi.orghttp://mirror.aluigi.org

Received on Mon Oct 1 15:24:29 2007

Do you need more help?

This message: [ Message body ]
Next message: joseph.giron13(at)gmail.com: "ASP-CMS version 1 default password location."
Previous message: Luigi Auriemma: "Two buffer-overflow in FSD V2.052 d9 and FSFDT V3.000 d9"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:18:42 EDT