[cod] [Fwd: [Full-Disclosure] Broadcast shutdown in Call of Duty 1.4]

John Kennington gadruid at bellsouth.net
Tue Sep 7 20:17:02 EDT 2004 

Christopher Kunz wrote:

> Hi everybody,
>
> just a quick "heads up" that Luigi has posted the CoD crashbug to 
> Bugtraq yesterday, so if you didn't get around to patching your 
> servers, you know what to do tonight ;)
>
> --ck
>
> ------------------------------------------------------------------------
>
> Subject:
> [Full-Disclosure] Broadcast shutdown in Call of Duty 1.4
> From:
> Luigi Auriemma <aluigi at autistici.org>
> Date:
> Sun, 5 Sep 2004 17:02:06 +0000
> To:
> bugtraq at securityfocus.com, bugs at securitytracker.com, 
> news at securiteam.com, full-disclosure at lists.netsys.com
>
> To:
> bugtraq at securityfocus.com, bugs at securitytracker.com, 
> news at securiteam.com, full-disclosure at lists.netsys.com
>
>
>#######################################################################
>
>                             Luigi Auriemma
>
>Application:  Call of Duty
>              http://www.callofduty.com
>Versions:     <= 1.4
>Platforms:    Windows and Linux
>Bug:          Denial of Service
>Risk:         high
>Exploitation: remote, versus servers and clients (broadcast)
>Date:         05 September 2004
>Author:       Luigi Auriemma
>              e-mail: aluigi at altervista.org
>              web:    http://aluigi.altervista.org
>
>
>#######################################################################
>
>
>1) Introduction
>2) Bug
>3) The Code
>4) Fix
>
>
>#######################################################################
>
>===============
>1) Introduction
>===============
>
>
>Call of Duty is the famous military FPS game developed by Infinity Ward
>(http://www.infinityward.com) and released in October 2003.
>
>An interesting note is that this security bug was already known by some
>people since the release of my recent Medal of Honor buffer-overflow
>(17 July 2004), in fact the same proof-of-concept works perfectly with
>Call of Duty too.
>
>
>#######################################################################
>
>======
>2) Bug
>======
>
>
>The game uses some anti-buffer-overflow checks that automatically
>shutdown the game if they find a too big input.
>
>The result is that a query or a reply containing over 1024 chars is
>able to exploit this protection causing the immediate stop of the game.
>
>Both servers and clients are vulnerables and the major problem is just
>for clients because a single malicious server is able to passively stop
>any client in the world so nobody can play online.
>
>
>#######################################################################
>
>===========
>3) The Code
>===========
>
>
>http://aluigi.altervista.org/poc/codboom.zip
>
>
>#######################################################################
>
>======
>4) Fix
>======
>
>
>Only the official patch for the Linux version is available (since some
>weeks) and can be downloaded here:
>
>  http://www.icculus.org/betas/cod/
>
>The Windows patch is not available and "probably" will be released at
>the end of September.
>
>In the meantime I have written an unofficial fix just for the 1.4 Win32
>version of the game and is able to patch both clients and servers
>because the function is the same:
>
>  http://aluigi.altervista.org/patches/cod-14-fix.zip
>
>
>#######################################################################
>
>
>--- 
>Luigi Auriemma
>http://aluigi.altervista.org
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
>
Will there be a patch for 1.1?  We got this last night:

********************
ERROR: Info string length exceeded
key: 'protocol'
value: '1'
Info string:
\challenge\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

********************
----- Server Shutdown -----
Sending heartbeat to codmaster.activision.com
Sending heartbeat to master0.gamespy.com
==== ShutdownGame ====
---------------------------

-- 
____________________
John Kennington
"....waiting on the pier 'till Charon comes...."

More information about the Cod mailing list