####################################################################### Luigi Auriemma Application: Doom 3 engine Games: Doom 3 (http://www.doom3.com) <= 1.3.1 Quake 4 (http://www.quake4game.com) <= 1.4.2 Prey (http://www.prey.com) <= 1.3 Enemy Territory: Quake Wars NOT VULNERABLE Platforms: Windows, Linux and Mac Bug: format string Exploitation: remote, versus servers with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Doom 3 engine (formerly known as id Tech 4) is the latest version of the famous game engine developed by ID Software (http://www.idsoftware.com) and used in some recent games: http://en.wikipedia.org/wiki/Id_Tech_4 ####################################################################### ====== 2) Bug ====== The function which visualizes the strings on the game's console is vulnerable to a format string vulnerability, something similar to snprintf(buff, 1024, string); Usually this is not a problem since the engine uses some functions and tricks to avoid the visualization of the % char like dropping it or inserting a space between it and the subsequent char. But there is a way for bypassing this limitation with also the better advantages of doing it anonymously and with only one single spoofable UDP packet: Punkbuster. When Punkbuster is active on a server (practically almost all the public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Doom 3 engine and affects both dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is used only as a "way" for reaching a zone of the code otherwise unexploitable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/d3engfspb.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. UPDATE 4 Oct 2007 Punkbuster has released a new version of the anti-cheat which filters the % char passed to the vulnerable function used in the Doom 3 engine for visualizing the strings in the console. This prevents the exploitation of the bug via Punkbuster. #######################################################################