SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Game)  >  LithTech Engine Vendors:  LithTech, Inc.
LithTech Engine Format String Bug Lets Remote Users Crash the Game Server
SecurityTracker Alert ID:  1012098
SecurityTracker URL:  http://securitytracker.com/id?1012098
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 5 2004
Impact:  Denial of service via network
Exploit Included:  Yes  
Description:  Luigi Auriemma reported a format string vulnerability in the LithTech Engine, used by many game software titles. A remote user can cause the game server to crash.

The method required to trigger the format string flaw may vary, depending on the game software using the engine. In some cases, authentication is required.

A remote user may be able to send a nickname or other message contain format string specifiers (e.g., '%n%n%n') to trigger the flaw and, in some cases, cause the target game service to crash.

Many games are affected, including the following:

Alien vs Predator 2 <= 1.0.9.6
Blood 2 <= 2.1
Contract Jack <= 1.1
Global Operations <= 2.0/2.1
Kiss Psycho Circus <= 1.13
Legends of Might and Magic <= 1.1
No one lives forever <= 1.004
No one lives forever 2 <= 1.3
Purge Jihad <= 2.2.1
Sanity <= 1.0?
Shogo <= 2.2
Tron 2.0 <= 1.042
Impact:  A remote user can cause the target game server to crash.
Solution:  No solution was available at the time of this entry.

Of the affected games, Pure Jihad has implemented a fix in version 2.2.2.
Vendor URL:  www.lithtech.com/ (Links to External Site)
Cause:  Input validation error, State error
Underlying OS:  Windows (Any)
Reported By:  Luigi Auriemma <aluigi@autistici.org>
Message History:   None.

 Source Message Contents
Date:  Fri, 5 Nov 2004 18:04:52 +0000
From:  Luigi Auriemma <aluigi@autistici.org>
Subject:  In-game format string bug in the Lithtech engine

 
 
 
#######################################################################
 
                             Luigi Auriemma
 
Application:  Lithtech engine
              http://www.lithtech.com
Games:        Alien vs Predator 2                            <= 1.0.9.6
              Blood 2                                            <= 2.1
              Contract Jack                                      <= 1.1
              Global Operations                              <= 2.0/2.1
              Kiss Psycho Circus                                <= 1.13
              Legends of Might and Magic                         <= 1.1
              No one lives forever                             <= 1.004
              No one lives forever 2                             <= 1.3
              Purge Jihad                                      <= 2.2.1
              Sanity                                            <= 1.0?
              Shogo                                              <= 2.2
              Tron 2.0                                         <= 1.042
              others...
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server (in-game)
Date:         05 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org
 
 
#######################################################################
 
 
1) Introduction
2) Bug
3) The Code
4) Fix
 
 
#######################################################################
 
===============
1) Introduction
===============
 
 
Lithtech is the famous game engine developed by Monolith
(http://www.lith.com) and used by many games.
 
 
#######################################################################
 
======
2) Bug
======
 
 
The Lithtech engine (any version) is affected by some format string
bugs.
Exploiting these bugs "depends by the game" however the most easy and
common method is through the sending of messages or the usage of a
nickname containing the format arguments (like the classical %n%n%n).
 
The only exceptions in the usage of these 2 methods are that in some
games the nickname method causes the crash of the same attacker while
in others (just a couple of games) the message method works only when
the server is dedicated.
 
This is an in-game bug so the attacker needs to enter in the server (if
it is protected by password, he must know the correct keyword).
 
 
#######################################################################
 
===========
3) The Code
===========
 
 
Launch the server and send a message containing %n%n%n.
The server should crash immediately.
For a better test is preferable to join with a client and send the same
message or (if fails) use a nickname with the same text.
 
 
#######################################################################
 
======
4) Fix
======
 
 
No fix.
Monolith is unreacheable, after tons of mails sent for over one month I
have received no reply.
 
The only game actually patched is Purge Jihad from version 2.2.2, only
because I know the developers and so I have been able to alert them and
they have fixed the bug filtering the client's data.
The "filtering" solution could be used also by other developers if the
engine will not be fixed by Monolith.
 
 
#######################################################################
 
 
--- 
Luigi Auriemma
http://aluigi.altervista.org


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC