[cod] Cod WW: 1024 bytes Command Exploit

Georgecooldude georgecooldude at gmail.com
Sat Jan 24 18:27:23 EST 2009


All the more reason this should be fixed by the COD5 dev team. I'm sure I
recall some mails about this or a similar issue ages ago.



On Sat, Jan 24, 2009 at 10:42 PM, MikeTNT <MikeTNT at gmx.de> wrote:

>  Thank you so much that you send such information in a non puplic mailing
> list like icculus.org
> Now all admins over the world can be sure that nobody will copy your string
> and try it out. :-(
>
>
>
> ----- Original Message -----
> *From:* Jumping Jack Flash <jumping.cod at gmail.com>
> *To:* cod at icculus.org
> *Sent:* Saturday, January 24, 2009 9:53 PM
> *Subject:* [cod] Cod WW: 1024 bytes Command Exploit
>
> Hi guys, every day my cod5 server fall down cause this error: Attempted to
> overrun string in call to va()
> I've found some information about it:
>
> "va() is a function of the Quake 3 engine used to quickly build strings
> using snprintf and a static destination buffer.
> If the generated string is longer than the available buffer the server
> shows an "Attempted to overrun string in call to va()" error and
> terminates.
> >From Call of Duty 2 (and consequently) the size of this buffer has
> been reduced from the original 32000 bytes to only 1024 causing many
> problems to the admins.
>
> So in CoD5 an attacker which has joined the server can exploit this
> vulnerability through the sending of a command longer than 1024 bytes
> causing the immediate termination of the server."
>
> I try it, and it works. I you send this command to the server, it will crash:
>
> cmd I'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsv
>
> I test it in differents servers, in someones worked, in other didn't... Anybody knows a solution for this exploit?
>
> Thank, and sorry my english :P
>
> JuMp!nG
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20090124/469f21c7/attachment.htm>


More information about the Cod mailing list