|
Sacrifice Format String and Buffer Overflow |
|
|
|
|
Saturday, 06 August 2005 |
Summary
Sacrifice is "a strategy game developed by Shiny Entertainment".
A format string and buffer overflow vulnerabilities discovered in game Sacrifice allow remote attackers to cause the program to execute arbitrary code.
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/sacrifice-adv.txt
Details
Vulnerable Systems:
* Sacrifice version patch3 and prior
Format string everywhere:
The game uses a function in game3d.dll to builds the visualized text strings on the screen. This is a graphic function and as such is used to display ANY type of text, menu, chat, message, name, server... anything. This function is affected by a format string caused by the wrong usage of vsprintf() function.
Buffer overflow in chat:
An exploitable buffer-overflow vulnerability exists when the game receives a message from the online chat (peerchat.gamespy.com) server. This bug is caused by an arbitrary copy of the characters incoming through the message until the character lower/equal to 0x20 (function GetWord() in share.dll) is found in the incoming buffer. As the buffer to which the data is copied is limited to only 256 bytes, an overflow can occur.
Proof of concept:
The easiest way to exploit these bugs is through the usage of a normal IRC client, and entering into the channel #GSP!sacrifice which resides on the server peerchat.gamespy.com and then sending the following messages:
Format string: %n%n%n
Buffer overflow:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPX
|