####################################################################### Luigi Auriemma Application: Call of Duty 4: Modern Warfare Call of Duty: World at War http://www.callofduty.com Versions: cod4 <= 1.7 cod5 <= 1.3 Platforms: Windows (tested) and Linux Bugs: A] "Attempted to overrun string in call to va()" DoS B] "callvote map" Denial of Service Exploitation: remote, versus server (bug B in-game) Date: 22 Jun 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Call of Duty 4 (CoD4) is the most recent and played game of the homonym series created by Infinity Ward (http://www.infinityward.com) with over 15000 internet servers. ####################################################################### ======= 2) Bugs ======= ---------------------------------------------------- A] "Attempted to overrun string in call to va()" DoS ---------------------------------------------------- va() is a function of the Quake 3 engine used to quickly build strings using snprintf and a static destination buffer. If the generated string is longer than the available buffer the server shows an "Attempted to overrun string in call to va()" error and terminates. From Call of Duty 2 (and consequently CoD4) the size of this buffer has been reduced from the original 32000 bytes to only 1024 causing many problems to the admins, for which reason I created an unofficial fix for CoD2 in the far 2006 (http://aluigi.org/patches/cod2vawo.lpatch). So in CoD4 an attacker which has joined the server can exploit this vulnerability through the sending of a command longer than 1024 bytes causing the immediate termination of the server. UPDATE 07 Jul 2010: It's NOT needed to join the server for exploiting this bug, indeed it's enough to send a getchallenge packet with a long hash: yyyygetchallenge 0 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...1025...aaa Only the LAN server aren't affected by this way because they don't read that part of the packet. ----------------------------------- B] "callvote map" Denial of Service ----------------------------------- The "callvote map" buffer-overflow is an old problem which was reported to me by Sindre Dahl in the 2006 affecting all the CoD1 and CoD2 servers (http://aluigi.org/adv/codmapbof-adv.txt) This vulnerability affects also CoD4 altough with some differences: the name of the map needed to exploit this bug must be long at least 248 bytes and doesn't seem to exist a concrete way to control the code flow, so the only effect is the crash of the server and not code execution as for the other two games. The callvote command works when in a server there are at least two players (if the server is empty the needed one can be a fake player generated with "q3fill -1") and the vote must pass. For some unknown reasons in my tests was necessary to launch callvote two times for exploiting the bug. For both the vulnerabilities the attacker must join the server so if it's protected by password he must know the right keyword and his IP/guid/cdkey must be not banned. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/cod4vamap.zip copy the files in the "main" folder of CoD4 and then type A] /exec cod4va getchallenge way: http://aluigi.org/testz/udpsz.zip udpsz -c "\xff\xff\xff\xffgetchallenge 0 " -b a SERVER PORT 2000 B] /exec cod4map ####################################################################### ====== 4) Fix ====== No fix. #######################################################################