BugTraq
Format string in F.E.A.R. 1.08 through PB Oct 01 2007 07:31PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: F.E.A.R. (First Encounter Assault Recon)
http://www.whatisfear.com
Versions: <= 1.08
Platforms: Windows and Linux
Bug: format string
Exploitation: remote, versus server with Punkbuster enabled
Date: 01 Oct 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

F.E.A.R. is the most recent FPS game developed by Monolith
(http://www.lith.com).

#######################################################################

======
2) Bug
======

This bug is nothing new moreover considering that it's public from the
far 2004 when this game was still a beta:

http://aluigi.org/adv/lithfs-adv.txt

What changes this time is the type of exploitation and the derived
advantages since now the attack is completely anonymous from outside
the server using only one UDP packet.

When Punkbuster is enabled on a server (true for many public servers)
it visualizes the content of some incoming packets using the game's
console.
The Punkbuster packets needed for forcing the visualization of a custom
string in the console are PB_Y (YPG server) and PB_U (UCON), while in
the past was ok to use PB_P too which has been recently made no longer
verbose probably due to its abusing attempted by people for spamming
servers (which is naturally still possible with the above packets).

As already said this is a bug in the Lithtech engine and NOT in
Punkbuster which is used only as a "way" for exploiting it.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/fearfspb.zip

#######################################################################

======
4) Fix
======

No fix.
The bug has been never "really" patched although it's public from 3
years.

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus