<<< Date Index >>>     <<< Thread Index >>>

Quake 2 Lithium Mod V 1.24 Macro Expansion Vuln?



Well I ran quake 2 (using Lithium mod V 1.24) under OllyDBG and it seems that 
the
lithium II mod for quake 2 (latest PATCH 3.20) is parsing the '%' in
nicks. My well crafted nickname '%999f%f%f%f%f' is being pushed onto
the stack as
004144A1 |. 68 E821AF00 PUSH QUAKE2.00AF21E8 ;
ASCII "0.000000 0.000000 0.000000"

A huge real number. This expansion seems to be causing a stack
overflow. I ran it on my test server and sure enough it crashes. I'm currently 
working on code executing and the ability to read any memory address.

I contacted the creator of Lithium mod II , he still hasn't returned my emails.


I found that any 'percent' in the nick is interpreted as 0.0000 you
can use various combo's such as %d for int %c for a char. This is
telling me that it's a format string vulnerability.

This only works on lithium quake 2 server. It's manifested in the
latest release V 1.24. Probably affects prior versions also.

I am currently Reverse Engineering the mod to Get more info on this. Probably 
gonna take a while cause I'm at my mom's house with 8 people and one computer ;p

The vuln lies in the code that updates the score (frags) when you die, the 
overflow will manifest. I will write a more detailed explanation on this after 
I finish RE'ing it.

Regards, SinNULL


More info on the vuln will be posted shortly. When I find some allocated time 
to work with.