#######################################################################

                             Luigi Auriemma

Application:  Crysis
              http://www.ea.com/crysis/home.jsp
Versions:     <= 1.21 (1.1.1.6156 showed as gamever)
Platforms:    Windows
Bug:          informations disclosure
Exploitation: remote versus both clients and servers
Date:         15 Jun 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Crysis is a recent FPS game developed by Crytek (http://www.crytek.com)
and released at November 2007.
This game is well known for being a "computer killer" due to its high
hardware requirements but also for having various problems with
cheaters.


#######################################################################

======
2) Bug
======


Crysis is affected by a strange design error which consists in
appending various internal network informations in its disconnect and
error packets.

For example, if we send a keyexchange packet (0x8c) without having sent
the previous join packet (0x07) the server will reply with a
disconnect packet (0x08) containing a "KeyExchange1 with no connection"
error message followed by usually 16 lines of internal logs which
include various real-time informations like IP addresses, nicknames and
status of the clients (which so can be disconnected through spoofed
disconnect packets), details about PunkBuster like paths, screenshosts,
bans, checks and GUIDs of the players, status of the Gamespy SDK
(stats, failed cdkey checks, communication with the master server and
so on) and other plus or less sensitive informations.

Naturally this problem affects both servers and clients so is possible
to see also the real-time network logs of any client which is playing
on a server since both the IP and the port are visible in its logs in
some moments.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/crysislog.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################