####################################################################### Luigi Auriemma Application: SWAT 4 http://www.swat4.com Versions: <= 1.1 Platforms: Windows Bugs: A] NULL pointer through VERIFYCONTENT and GAMECONFIG B] Runtime Error through GAMESPYRESPONSE Exploitation: remote, versus server Date: 20 Jul 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== SWAT 4 is a well known FPS game developed by Irrational Games (http://www.irrationalgames.com) and released in the 2005. ####################################################################### ======= 2) Bugs ======= ---------------------------------------------------- A] NULL pointer through VERIFYCONTENT and GAMECONFIG ---------------------------------------------------- The game server can be crashed due to a NULL pointer passed to the FString function. This bug can be exploited through the sending of the VERIFYCONTENT or the GAMECONFIG commands before joining the server. ---------------------------------------- B] Runtime Error through GAMESPYRESPONSE ---------------------------------------- Another Denial of Service is exploitable through the GAMESPYRESPONSE command followed by a RS string longer than 71 bytes which will result in a Runtime Error. ####################################################################### =========== 3) The Code =========== http://aluigi.org/fakep/unrealfp.zip A] unrealfp -c VERIFYCONTENT SERVER PORT B] unrealfp -C "GAMESPYRESPONSE RS=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" SERVER PORT ####################################################################### ====== 4) Fix ====== No fix #######################################################################