Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11719
HistoryMar 07, 2006 - 12:00 a.m.

Multiple vulnerabilities in Liero Xtreme 0.62b

2006-03-0700:00:00
vulners.com
87

#######################################################################

                         Luigi Auriemma

Application: Liero Xtreme
http://lieroxtreme.thegaminguniverse.com
Versions: <= 0.62b
Platforms: Windows
Bugs: A] server crash/freeze
B] format string in the visualization function
Exploitation: A] remote, versus server
B] local/remote, versus clients
Date: 06 Mar 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Liero Xtreme (aka Lierox) is a freeware clone of the classic DOS game
called Liero, and is mainly focused on the possibility of expanding and
customizing the game through mods, levels and skins.
Both LAN and Internet multiplayer (through the master server) are
supported.

#######################################################################

=======
2) Bugs


A] server crash/freeze

The server can be easily crashed or freezed using a long string with
the "connect" command.
The problem is caused by the instructions used by the game for handling
the data of this command which in some cases lead to the immediate
crash of the server or a loop which freezes the game.


B] format string in the visualization function

The client's function which visualizes the messages on the screen
(0x004052d0) is affected by a format string vulnerability which can be
used to execute malicious code.
Exist different ways for exploiting this bug but the most interesting
are the following:

  • joining a server using a properly formatted nickname (like %n%n%n%n
    or %02000x) which will be visualized by all the clients currently in
    the server and all the others which will join when the attacker is
    playing.
    In this type of exploitaion if the server is protected by password
    the attacker must know the right keyword.
  • hosting a dedicated server visible on the master server (default)
    with a formatted name, so any client which will enter in the "Join
    Internet Server" menu will be exploited immediately.
  • creating a level file (.lxl extension) with a properly formatted
    mapname.
    Due to the leaning of the game for modding this exploitation is very
    good too.

#######################################################################

===========
3) The Code

http://aluigi.altervista.org/poc/lieroxxx.zip

For the bug B my proof-of-concept exploits only the first method I have
explained, for the other two is enough to:

  • open the config\config.cfg file and add %03000x where is specified
    the server's name (Server.Name) and then launch the dedicated server
  • take the "userdata\levels\Dirt Level.lxl" file and overwrite the
    bytes at offset 36 with the string %03000x

#######################################################################

======
4) Fix

No fix.
No reply from the developers.

#######################################################################


Luigi Auriemma
http://aluigi.altervista.org