[cod] [Fwd: [Full-Disclosure] Broadcast shutdown in Call of Duty 1.4]
John Kennington
gadruid at bellsouth.net
Tue Sep 7 20:17:02 EDT 2004
Christopher Kunz wrote:
> Hi everybody,
>
> just a quick "heads up" that Luigi has posted the CoD crashbug to
> Bugtraq yesterday, so if you didn't get around to patching your
> servers, you know what to do tonight ;)
>
> --ck
>
> ------------------------------------------------------------------------
>
> Subject:
> [Full-Disclosure] Broadcast shutdown in Call of Duty 1.4
> From:
> Luigi Auriemma <aluigi at autistici.org>
> Date:
> Sun, 5 Sep 2004 17:02:06 +0000
> To:
> bugtraq at securityfocus.com, bugs at securitytracker.com,
> news at securiteam.com, full-disclosure at lists.netsys.com
>
> To:
> bugtraq at securityfocus.com, bugs at securitytracker.com,
> news at securiteam.com, full-disclosure at lists.netsys.com
>
>
>#######################################################################
>
> Luigi Auriemma
>
>Application: Call of Duty
> http://www.callofduty.com
>Versions: <= 1.4
>Platforms: Windows and Linux
>Bug: Denial of Service
>Risk: high
>Exploitation: remote, versus servers and clients (broadcast)
>Date: 05 September 2004
>Author: Luigi Auriemma
> e-mail: aluigi at altervista.org
> web: http://aluigi.altervista.org
>
>
>#######################################################################
>
>
>1) Introduction
>2) Bug
>3) The Code
>4) Fix
>
>
>#######################################################################
>
>===============
>1) Introduction
>===============
>
>
>Call of Duty is the famous military FPS game developed by Infinity Ward
>(http://www.infinityward.com) and released in October 2003.
>
>An interesting note is that this security bug was already known by some
>people since the release of my recent Medal of Honor buffer-overflow
>(17 July 2004), in fact the same proof-of-concept works perfectly with
>Call of Duty too.
>
>
>#######################################################################
>
>======
>2) Bug
>======
>
>
>The game uses some anti-buffer-overflow checks that automatically
>shutdown the game if they find a too big input.
>
>The result is that a query or a reply containing over 1024 chars is
>able to exploit this protection causing the immediate stop of the game.
>
>Both servers and clients are vulnerables and the major problem is just
>for clients because a single malicious server is able to passively stop
>any client in the world so nobody can play online.
>
>
>#######################################################################
>
>===========
>3) The Code
>===========
>
>
>http://aluigi.altervista.org/poc/codboom.zip
>
>
>#######################################################################
>
>======
>4) Fix
>======
>
>
>Only the official patch for the Linux version is available (since some
>weeks) and can be downloaded here:
>
> http://www.icculus.org/betas/cod/
>
>The Windows patch is not available and "probably" will be released at
>the end of September.
>
>In the meantime I have written an unofficial fix just for the 1.4 Win32
>version of the game and is able to patch both clients and servers
>because the function is the same:
>
> http://aluigi.altervista.org/patches/cod-14-fix.zip
>
>
>#######################################################################
>
>
>---
>Luigi Auriemma
>http://aluigi.altervista.org
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>
>
Will there be a patch for 1.1? We got this last night:
********************
ERROR: Info string length exceeded
key: 'protocol'
value: '1'
Info string:
\challenge\aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
********************
----- Server Shutdown -----
Sending heartbeat to codmaster.activision.com
Sending heartbeat to master0.gamespy.com
==== ShutdownGame ====
---------------------------
--
____________________
John Kennington
"....waiting on the pier 'till Charon comes...."
More information about the Cod
mailing list