In-game server buffer-overflow in Jedi Academy 1.011

2005-04-03T00:00:00
ID SECURITYVULNS:DOC:8209
Type securityvulns
Reporter Securityvulns
Modified 2005-04-03T00:00:00

Description

                         Luigi Auriemma

Application: Star Wars Jedi Knight: Jedi Academy http://www.lucasarts.com/products/jediacademy/ Versions: <= 1.011 Platforms: Windows, Linux and Mac Bug: buffer-overflow during the visualization of big messages Exploitation: remote, versus server (in-game) Date: 02 Apr 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Jedi Academy is a first person shooter that uses the Quake 3 engine, it's developed by Raven Software (http://www.ravensoft.com) and has been released in September 2003.

====== 2) Bug ======

The game is affected by a buffer-overflow in the visualization function called G_Printf(). This function uses a sprintf() with a local buffer of 1024 bytes where it stores the text to display in the console so if an attacker sends a big message (through the commands say and tell for example) the server calls G_Printf() for visualizing a string like the following example:

say: NICKNAME: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaa\n

The result is that an attacker could execute malicious code on the victim server. The only limitation is that this is an in-game bug so the attacker must have access to the server, if it's protected by password he must know the keyword.

=========== 3) The Code ===========

  • download the following file: http://aluigi.altervista.org/poc/jamsgbof.cfg
  • place it in the base folder of the game: GameData\base
  • start a client and a server
  • join the server
  • go into the client console (shift + ~)
  • type: /exec jamsgbof
  • the server will crash with the return address overwritten with 0x61616161

====== 4) Fix ======

No fix. The game "should" be no longer supported.


Luigi Auriemma http://aluigi.altervista.org