bugtraq June 2008 archive
Main Archive Page > Month Archives  > bugtraq archives
bugtraq: Double Denial of Service in Call of Duty 4 1.6

Double Denial of Service in Call of Duty 4 1.6

From: Luigi Auriemma <aluigi_at_nospam>
Date: Mon Jun 23 2008 - 19:12:28 GMT
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk, packet@packetstormsecurity.org, cert@cert.org, news@securiteam.com

#######################################################################
Luigi Auriemma Application: Call of Duty 4: Modern Warfare http://www.callofduty.com Versions: <= 1.6 Platforms: Windows (tested) and Linux Bugs: A] "Attempted to overrun string in call to va()" DoS B] "callvote map" Denial of Service Exploitation: remote, versus server (in-game) Date: 22 Jun 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org
#######################################################################
1) Introduction 2) Bugs
3) The Code
4) Fix

#######################################################################


  1. Introduction

Call of Duty 4 (CoD4) is the most recent and played game of the homonym series created by Infinity Ward (http://www.infinityward.com) with over 15000 internet servers.

#######################################################################



2) Bugs

  1. "Attempted to overrun string in call to va()" DoS

va() is a function of the Quake 3 engine used to quickly build strings using snprintf and a static destination buffer. If the generated string is longer than the available buffer the server shows an "Attempted to overrun string in call to va()" error and terminates.
>From Call of Duty 2 (and consequently CoD4) the size of this buffer has been reduced from the original 32000 bytes to only 1024 causing many problems to the admins, for which reason I created an unofficial fix for CoD2 in the far 2006 (http://aluigi.org/patches/cod2vawo.lpatch).

So in CoD4 an attacker which has joined the server can exploit this vulnerability through the sending of a command longer than 1024 bytes causing the immediate termination of the server.



B] "callvote map" Denial of Service

The "callvote map" buffer-overflow is an old problem which was reported to me by Sindre Dahl in the 2006 affecting all the CoD1 and CoD2 servers (http://aluigi.org/adv/codmapbof-adv.txt)

This vulnerability affects also CoD4 altough with some differences: the name of the map needed to exploit this bug must be long at least 248 bytes and doesn't seem to exist a concrete way to control the code flow, so the only effect is the crash of the server and not code execution as for the other two games.

The callvote command works when in a server there are at least two players (if the server is empty the needed one can be a fake player generated with "q3fill -1") and the vote must pass. For some unknown reasons in my tests was necessary to launch callvote two times for exploiting the bug.

For both the vulnerabilities the attacker must join the server so if it's protected by password he must know the right keyword and his IP/guid/cdkey must be not banned.

#######################################################################



3) The Code

http://aluigi.org/poc/cod4vamap.zip

copy the files in the "main" folder of CoD4 and then type

  1. /exec cod4va
  2. /exec cod4map

#######################################################################



4) Fix

No fix

#######################################################################

---
Luigi Auriemma
http://aluigi.org