####################################################################### Luigi Auriemma Application: Cafu / Ca3D Engine http://www.cafu.de Versions: <= r39 (aka 9.06) Platforms: Windows and Linux Bugs: A] NULL pointer B] clients format string Exploitation: A] remote, versus server B] remote, versus clients (in-game) Date: 22 Mar 2010 Thanx to: Salvatore Fresta aka Drosophila (www.salvatorefresta.net) Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== from vendor's website: "The Cafu Engine is an all-purpose, modern 3D graphics engine and game development kit, feature complete to get you started quickly." ####################################################################### ======= 2) Bugs ======= --------------- A] NULL pointer --------------- The server can be crashed through an incomplete CS0_RemoteConsoleCommand packet that doesn't contain the password field, leading to a NULL pointer access. Example of malformed packet: FF FF FF FF 00 00 00 00 05 ------------------------ B] clients format string ------------------------ The client's engine is affected by a format string vulnerability located in the calling of the ScrollInfoT::Print function used for showing messages on the screen. Differently than Console->Print that shows one string in the console this one uses a printf-like format "void ScrollInfoT::Print(const char* PrintString, ...)" but the format argument is missed in a couple of locations, one of which is the visualization of the chat messages. Ca3DE\Client\ClientStateInGame.cpp: ... case SC1_ChatMsg: { const char* ChatMessage=InData.ReadString(); cf::LogDebug(net, "SC1_ChatMsg: %s", ChatMessage); Console->Print(std::string(ChatMessage)+"\n"); ChatScrollInfo.Print(ChatMessage); break; } ... The result is that an attacker from the same server or (better) from another client can crash or execute malicious code on any other client connected to the server. ####################################################################### =========== 3) The Code =========== http://salvatorefresta.net/files/poc/PoC-Ca3DE-9.06.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################