####################################################################### Luigi Auriemma Application: Torque Game Engine http://www.torquepowered.com Versions: the version of the engine is not much clear because the latest Torque Builder is 1.7.5 while Torque 3D is 1.0.1 (with 1.1 in development) or Torque 3D SDK 2010 and I have not found better resources (even the changelog is chaotic) so use the date of this advisory as reference Platforms: Windows, Linux, Mac OSX, iPhone, Xbox 360, Wii Bugs: A] invalid memory access through too much arguments B] possible vulnerability 1 C] possible vulnerability 2 D] possible vulnerability 3 E] possible vulnerability 4 F] possible vulnerability 5 Exploitation: remote, versus server Date: 09 May 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Torque Game Engine (aka TGE) is a well known and diffused 3d game engine developed by Dynamix, the same developers who created the famous Tribes series. This engine is used in a lot of games (commercials, indie and free) due to its relative cheap price and quality: http://www.torquepowered.com/games/ http://www.torquepowered.com/best-of-torque/torque-3d http://www.torquepowered.com/best-of-torque/torque-2d ####################################################################### ======= 2) Bugs ======= Due to the complexity of the engine (tons of bitstream fields and different effects between the various games) I have not researched the problems in detail so, except for the first bug, I have listed only the situation of the code at the moment of the exception in the "FPS Example" game which is an example project included in the SDK demo that I have used as reference. While the first bug happens in any game the same doesn't happen with the other "possible vulnerability" problems, so could happen that a game is vulnerable to all of them (FPS Example and PhysX), that is vulnerable only to some of them (3D RC Racing) or to none of them (the majority of the tested games like Legends, BurgerWarz and Singularity). And the same can happen for the effects so this advisory is referred ONLY to bug A! --------------------------------------------------- A] invalid memory access through too much arguments --------------------------------------------------- The Torque engine has a field in the ConnectRequest packet where the client specifies how much arguments he wants to pass, the first of which is the nickname. The engine uses a limit of max 16 arguments and it has no problem to drop the client if he specifies too much arguments than supported: stream->read(&mConnectArgc); if(mConnectArgc > MaxConnectArgs) // unsigned check, so correct { *errorString = "CR_INVALID_ARGS"; return false; } const char *connectArgv[MaxConnectArgs + 3]; for(U32 i = 0; i < mConnectArgc; i++) ... And in netInterface.cc there is the following code: const char *errorString = NULL; if(!conn->readConnectRequest(stream, &errorString)) // the function called above { sendConnectReject(conn, errorString); conn->deleteObject(); return; } The problem is that the server will crash during the calling of "conn->deleteObject()" that frees the allocated object (and indeed in "FPS Example" the exception happens in RtlFreeHeap) when the client specifies a big number of arguments. Doesn't seem possible to have worst effects from this vulnerability. --------------------------- B] possible vulnerability 1 --------------------------- EAX=00000001 100954B4 8A08 MOV CL,BYTE PTR DS:[EAX] 100954B6 40 INC EAX 100954B7 84C9 TEST CL,CL 100954B9 ^75 F9 JNZ SHORT FPS_Ex_1.100954B4 100954BB BF 38C37910 MOV EDI,FPS_Ex_1.1079C338 ; ASCII "serverCmd" --------------------------- C] possible vulnerability 2 --------------------------- ECX=00000000 1025CF52 8B3C81 MOV EDI,DWORD PTR DS:[ECX+EAX*4] 1025CF55 8B56 18 MOV EDX,DWORD PTR DS:[ESI+18] 1025CF58 8D46 1C LEA EAX,DWORD PTR DS:[ESI+1C] 1025CF5B 50 PUSH EAX --------------------------- D] possible vulnerability 3 --------------------------- ECX=00000000 100DE3A5 D919 FSTP DWORD PTR DS:[ECX] 100DE3A7 59 POP ECX 100DE3A8 C2 0400 RETN 4 --------------------------- E] possible vulnerability 4 --------------------------- ECX=00000000 10045CF0 D981 C0000000 FLD DWORD PTR DS:[ECX+C0] 10045CF6 83EC 08 SUB ESP,8 10045CF9 D95C24 04 FSTP DWORD PTR SS:[ESP+4] --------------------------- F] possible vulnerability 5 --------------------------- EAX=00000000 10291F2A 8B0488 MOV EAX,DWORD PTR DS:[EAX+ECX*4] 10291F2D C2 0400 RETN 4 Note that the attacker must be able to join the server to exploit the vulnerabilities so if the server is protected by password he must know the right keyword. Bug A works also with server full. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/torqueer.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################