####################################################################### Luigi Auriemma Applicazione: IGI 2: Covert Strike http://www.igi2-game.com Versioni: <= 1.3 Piattaforme: Windows, Linux Bug: format string bug Exploitation: remoto, contro server Data: 05 Apr 2004 Autore: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduzione 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduzione =============== IGI 2 e' un gioco FPS tattico sviluppato da Innerloop (http://www.innerloop.com) e distribuito da Codemasters (http://www.codemasters.com). E' stato rilasciato a Febbraio 2003. ####################################################################### ====== 2) Bug ====== Il server di IGI 2 e' affetto da un format string bug nella funzione di logging dei comandi RCON. Tali comandi sono usati dagli amministratori per gestire i propri servers. Questa funzione esiste sia nei server dedicati che normali e non puo' essere disabilitata. Un esempio pratico del bug "in azione" e' il seguente: - l'attacker invia: /hello-%08x.%08x.%08x.%08x - il server logga: [17:17:28] Consoled: 'hello-082aeefc.00000131.0061b64c.00000011' run from 192.168.0.3:32768 Update: The bug is caused by the logging function NetManager_LogMessage which takes the text to dump, adds a timestamp (using snprintf) and then passes the whole string to the function File_printf without the needed format argument (%s). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/igi2fs.zip ####################################################################### ====== 4) Fix ====== No fix. Nessuna risposta dagli sviluppatori. Update: http://aluigi.org/patches/igi2fsfix.lpatch http://aluigi.org/patches/igi2fsfix_linux.lpatch #######################################################################