####################################################################### Luigi Auriemma Application: Hired Team: Trial http://eng.nmg.ru/rubrs.asp?rubr_id=165 and probably also the Shine engine on which it is based http://www.3dengine.ru/index.asp?id=4 Versions: Hired Team <= 2.0 / 2.200 (since this is the only game based on the Shine engine and I have received no reply from the vendor I cannot confirm if the entire engine and what versions are vulnerable) Platforms: Windows Bugs: A] in-game format string B] match interruption through malformed packet C] status and kick problems Exploitation: remote A] versus server (in-game) B] versus server C] versus server and players (in-game) Date: 15 November 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Hired Team is a nice FPS game developed by New Media Generation (http://eng.nmg.ru) and released at the end of the year 2000. It seems to be the only game based on the Shine engine (created by the same developers) so I cannot compare the bugs found in this game with other games created with the same engine to know their "real nature" and if the engine has been modified from the 2001 till now. ####################################################################### ======= 2) Bugs ======= ------------------------ A] in-game format string ------------------------ The game is affected by a format string bug located in the game console. That lets an attacker to join a server (that doesn't have password support, so anyone can enter in it) and crash it or execute malicious code simply sending a message containing the formatted arguments (like the classical %n%n%n). ---------------------------------------------- B] match interruption through malformed packet ---------------------------------------------- Each time a new player joins, the server assigns an UDP port to him (usually the sequential ports after the server's one, by default 29199). If the server receives a packet containing unexpected data to one of these data ports, the match will be interrupted immediately. --------------------------- C] status and kick problems --------------------------- During the testing of this game/engine I found also that if a client uses the status command, the server crash immediately. The other strange thing is that any player can kick the others (admin included) without limits. ####################################################################### =========== 3) The Code =========== ------------------------ A] in-game format string ------------------------ Launch a server and a client, join the server and use the console by pressing the ~ key. Then type: say %n%n%n the server will crash immediately. A more simple and fast test is the following: launch the game, select Console from the main menu and type %x. You will see a message like: Unknown command "1015c888" ---------------------------------------------- B] match interruption through malformed packet ---------------------------------------------- Send a packet to the UDP port 29200 of the server (or 29220 if you are testing the demo, it is the data port usually assigned to the admin) containing any data you want, like hello, asdf or any other type of data. --------------------------- C] status and kick problems --------------------------- When you (client) are into the server, from the console type: status to crash the server or kick NAME where NAME is the name of the player you want to kick. ####################################################################### ====== 4) Fix ====== No fix. The vendor has not replied to my mails. Probably the Shine engine and Hired Team: Trial are no longer supported. #######################################################################