<<< Date Index >>>     <<< Thread Index >>>

Double Denial of Service in Call of Duty 4 1.6



#######################################################################

                             Luigi Auriemma

Application:  Call of Duty 4: Modern Warfare
              http://www.callofduty.com
Versions:     <= 1.6
Platforms:    Windows (tested) and Linux
Bugs:         A] "Attempted to overrun string in call to va()" DoS
              B] "callvote map" Denial of Service
Exploitation: remote, versus server (in-game)
Date:         22 Jun 2008
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Call of Duty 4 (CoD4) is the most recent and played game of the homonym
series created by Infinity Ward (http://www.infinityward.com) with over
15000 internet servers.


#######################################################################

=======
2) Bugs
=======

----------------------------------------------------
A] "Attempted to overrun string in call to va()" DoS
----------------------------------------------------

va() is a function of the Quake 3 engine used to quickly build strings
using snprintf and a static destination buffer.
If the generated string is longer than the available buffer the server
shows an "Attempted to overrun string in call to va()" error and
terminates.
>From Call of Duty 2 (and consequently CoD4) the size of this buffer has
been reduced from the original 32000 bytes to only 1024 causing many
problems to the admins, for which reason I created an unofficial fix
for CoD2 in the far 2006 (http://aluigi.org/patches/cod2vawo.lpatch).

So in CoD4 an attacker which has joined the server can exploit this
vulnerability through the sending of a command longer than 1024 bytes
causing the immediate termination of the server.


-----------------------------------
B] "callvote map" Denial of Service
-----------------------------------

The "callvote map" buffer-overflow is an old problem which was reported
to me by Sindre Dahl in the 2006 affecting all the CoD1 and CoD2
servers (http://aluigi.org/adv/codmapbof-adv.txt)

This vulnerability affects also CoD4 altough with some differences:
the name of the map needed to exploit this bug must be long at least
248 bytes and doesn't seem to exist a concrete way to control the code
flow, so the only effect is the crash of the server and not code
execution as for the other two games.

The callvote command works when in a server there are at least two
players (if the server is empty the needed one can be a fake player
generated with "q3fill -1") and the vote must pass.
For some unknown reasons in my tests was necessary to launch callvote
two times for exploiting the bug.


For both the vulnerabilities the attacker must join the server so if
it's protected by password he must know the right keyword and his
IP/guid/cdkey must be not banned.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/cod4vamap.zip

copy the files in the "main" folder of CoD4 and then type

A] /exec cod4va
B] /exec cod4map


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org