####################################################################### Luigi Auriemma Application: Crysis http://www.ea.com/crysis/home.jsp Crysis Wars / Warhead http://crysiswarhead.ea.com Versions: Crysis <= 1.21 Crysis Wars <= 1.5 Platforms: Windows (the Linux server has not been tested but should be vulnerable too) Bug: access violation in the HTTP/XML-RPC service Exploitation: remote, versus server Date: 20 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Crysis is a recent FPS game developed by Crytek (http://www.crytek.com) and released at November 2007. This game is well known for being a "computer killer" due to its high hardware requirements but also for having various problems with cheaters. Crysis Wars instead is a stand-alone multiplayer expansion and sequel also known as Crysis Warhead. ####################################################################### ====== 2) Bug ====== Crysis has a small internal HTTP/XML-RPC server which must be activated with the http_startserver command (manually or through server.cfg) and allows to receive the rcon commands which are very useful and used. This service works on port 80 if no port is specified but usually the admins choose a custom port or just the same of the game (64087 for Crysis or 64100 for Crysis Wars, the service is easy to identify due to the "Bad Request" title visible with a web browser). The library used for handling these XML RPC commands has problems in the handling of the requests (any request, even those unsupported) without parameters. In this case the code tries to use an unitialized pointer which doesn't seem controllable by the attacker (anyway I can't exclude it completely): MOV EAX,DWORD PTR DS:[ECX] MOV EDX,DWORD PTR DS:[EAX+14] ; access violation PUSH cryactio.3075F2A0 ; ASCII "params" CALL EDX The result is the immediate crash of the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/crysisviol.txt nc SERVER HTTPPORT -v -v < crysisviol.txt in case of no effect retry another time. ####################################################################### ====== 4) Fix ====== No fix #######################################################################