Application: Star Wars Jedi Knight: Jedi Academy http://www.lucasarts.com/products/jediacademy/ Versions: <= 1.011 Platforms: Windows, Linux and Mac Bug: buffer-overflow during the visualization of big messages Exploitation: remote, versus server (in-game) Date: 02 Apr 2005 Author: Luigi Auriemma e-mail: email@example.com web: http://aluigi.altervista.org
1) Introduction 2) Bug 3) The Code 4) Fix
=============== 1) Introduction ===============
Jedi Academy is a first person shooter that uses the Quake 3 engine, it's developed by Raven Software (http://www.ravensoft.com) and has been released in September 2003.
====== 2) Bug ======
The game is affected by a buffer-overflow in the visualization function called G_Printf(). This function uses a sprintf() with a local buffer of 1024 bytes where it stores the text to display in the console so if an attacker sends a big message (through the commands say and tell for example) the server calls G_Printf() for visualizing a string like the following example:
say: NICKNAME: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaa\n
The result is that an attacker could execute malicious code on the victim server. The only limitation is that this is an in-game bug so the attacker must have access to the server, if it's protected by password he must know the keyword.
=========== 3) The Code ===========
====== 4) Fix ======
No fix. The game "should" be no longer supported.
Luigi Auriemma http://aluigi.altervista.org