####################################################################### Luigi Auriemma Application: Marathon: Aleph One http://source.bungie.org http://marathon.sourceforge.net Versions: <= 16 Dec 2006 Platforms: Windows, *nix, *BSD and Mac Bugs: A] empty connection crash B] possible format string in the logging function Exploitation: both remote and local Date: 07 Jan 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From the website: "Aleph One is an open-source descendant of Bungie's _Marathon 2_ first-person 3D shooting game. A1 plays Marathon 2, Infinity, and 3rd-party content on a wide array of platforms, with (optional) OpenGL rendering, Internet play, Lua scripting, and more." ####################################################################### ======= 2) Bugs ======= ------------------------- A] empty connection crash ------------------------- It's possible to cause the crash of the server simply doing an empty connection to it followed by a valid one (or viceversa, the cause of this bug is not clear and I have not investigated it). ------------------------------------------------- B] possible format string in the logging function ------------------------------------------------- logMessageV, the function used for logging everything in the game, is vulnerable to a format string bug. The logging is enabled ONLY with log messages having a priority level minor than logNoteLevel (40) like logFatalLevel, logErrorLevel, logWarningLevel and logAnomalyLevel. I have tried to search an easy way for exploiting this bug from remote but without luck so I don't know if exist or what are the other ways (both remote and local) for doing it. From Misc/Logging.cpp: void TopLevelLogger::logMessageV(const char* inDomain, int inLevel, const char* inFile, int inLine, const char* inMessage, va_list inArgs) { ... if(sOutputFile != NULL && inLevel < sLoggingThreshhold) { ... vsnprintf(stringBuffer, kStringBufferSize, inMessage, inArgs); string theString(mContextStack.size() * 2, ' '); theString += stringBuffer; if(sShowLocations) { snprintf(stringBuffer, kStringBufferSize, " (%s:%d)\n", inFile, inLine); theString += stringBuffer; } else theString += "\n"; fprintf(sOutputFile, theString.c_str()); ... ####################################################################### =========== 3) The Code =========== A simple and probably useless PoC for bug A: http://aluigi.org/poc/alephonz.zip ####################################################################### ====== 4) Fix ====== The bugs have been fixed in the [17 Dec 2006] release #######################################################################