<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6001.18183" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Thank you so much that you send such information in
a non puplic mailing list like icculus.org</FONT></DIV>
<DIV><FONT face=Arial size=2>Now all admins over the world can be sure that
nobody will copy your string and try it out. :-(</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE dir=ltr
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=jumping.cod@gmail.com href="mailto:jumping.cod@gmail.com">Jumping
Jack Flash</A> </DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=cod@icculus.org
href="mailto:cod@icculus.org">cod@icculus.org</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Saturday, January 24, 2009 9:53
PM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> [cod] Cod WW: 1024 bytes Command
Exploit</DIV>
<DIV><FONT face=Arial size=2></FONT><FONT face=Arial size=2></FONT><FONT
face=Arial size=2></FONT><BR></DIV>Hi guys, every day my cod5 server fall down
cause this error: <SPAN class=Apple-style-span
style="FONT-SIZE: 16px; WHITE-SPACE: pre">Attempted to overrun string in call
to va()</SPAN>
<DIV><SPAN class=Apple-style-span
style="FONT-SIZE: 16px; WHITE-SPACE: pre"><FONT face=Arial size=2></FONT><FONT
face=Arial size=2></FONT><FONT face=Arial size=2></FONT><BR></SPAN></DIV>
<DIV><SPAN class=Apple-style-span style="WHITE-SPACE: pre"><SPAN
class=Apple-style-span style="FONT-SIZE: small">I've found some information
about it:</SPAN></SPAN></DIV>
<DIV><SPAN class=Apple-style-span
style="FONT-SIZE: 16px; WHITE-SPACE: pre"><SPAN class=Apple-style-span
style="FONT-FAMILY: 'times new roman'; WHITE-SPACE: normal"><PRE><SPAN class=Apple-style-span style="FONT-SIZE: small"><SPAN class=Apple-style-span style="FONT-STYLE: italic">"va() is a function of the Quake 3 engine used to quickly build strings
using snprintf and a static destination buffer.
If the generated string is longer than the available buffer the server
shows an "Attempted to overrun string in call to va()" error and
terminates.
>From Call of Duty 2 (and consequently) the size of this buffer has
been reduced from the original 32000 bytes to only 1024 causing many
problems to the admins.</SPAN></SPAN></PRE><PRE><SPAN class=Apple-style-span style="FONT-FAMILY: 'times new roman'; WHITE-SPACE: normal"><PRE><SPAN class=Apple-style-span style="FONT-SIZE: small"><SPAN class=Apple-style-span style="FONT-STYLE: italic">So in CoD5 an attacker which has joined the server can exploit this
vulnerability through the sending of a command longer than 1024 bytes
causing the immediate termination of the server."</SPAN></SPAN></PRE><PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px">I try it, and it works. I you send this command to the server, it will crash:<SPAN class=Apple-style-span style="FONT-STYLE: italic"></SPAN></SPAN></PRE>
<PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px"><SPAN class=Apple-style-span style="FONT-STYLE: italic">cmd I'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsI'mwithstupidsv</SPAN></SPAN></PRE><PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px"><SPAN class=Apple-style-span style="FONT-STYLE: italic"></SPAN></SPAN>
</PRE><PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px">I test it in differents servers, in someones worked, in other didn't... Anybody knows a solution for this exploit?</SPAN></PRE><PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px">Thank, and sorry my english :P</SPAN></PRE>
<PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px">JuMp!nG</SPAN></PRE><PRE><SPAN class=Apple-style-span style="FONT-SIZE: 12px"><BR></SPAN></PRE></SPAN></PRE></SPAN></SPAN></DIV></BLOCKQUOTE></BODY></HTML>