####################################################################### Luigi Auriemma Application: IGI 2: Covert Strike http://www.igi2-game.com Versions: <= 1.3 Platforms: Windows and Linux Bugs: A] nickname format string B] invalid memory access C] messages format string Exploitation: remote, versus server and clients (in-game) Date: 14 Apr 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== IGI 2 is a tactical stealth-based FPS game developed by Innerloop (http://www.innerloop.com) and published by Codemasters (http://www.codemasters.com). It has been released in February 2003. ####################################################################### ======= 2) Bugs ======= All the bugs are in-game so the attacker must join the server to exploit them: ------------------------- A] nickname format string ------------------------- The server is affected by a format string bug when handles the players nicknames. Update: this bug is the same of the advisory: http://aluigi.org/adv/igi2fs-adv.txt ------------------------ B] invalid memory access ------------------------ Using a big nickname is possible to crash the server due the access to an invalid memory zone. The instruction executed is "cmp [EAX], 00000000" where EAX contains 4 of the bytes in the nickname. ------------------------- C] messages format string ------------------------- Another format string, but this time affecting only the clients. In fact is possible to send a formatted message to be able to exploit all the clients connected to a server. The game seems very inclined to format string vulnerabilities so is possible that exist other similar bugs in it or other ways to exploit the vulnerable functions (for example one year ago I reported a format string bug in the handling of RCON commands: http://aluigi.org/adv/igi2fs-adv.txt) but I think that these are enough. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/igi2bugs.zip ####################################################################### ====== 4) Fix ====== No fix. The game is no longer supported. #######################################################################