####################################################################### Luigi Auriemma Application: Crysis http://www.ea.com/crysis/home.jsp Crysis Wars / Warhead http://crysiswarhead.ea.com Versions: Crysis <= 1.21 Crysis Wars <= 1.5 Platforms: Windows (the Linux server has not been tested but should be vulnerable too) Bug: format string Exploitation: remote, versus server Date: 21 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Crysis is a recent FPS game developed by Crytek (http://www.crytek.com) and released at November 2007. This game is well known for being a "computer killer" due to its high hardware requirements but also for having various problems with cheaters. Crysis Wars instead is a stand-alone multiplayer expansion and sequel also known as Crysis Warhead. ####################################################################### ====== 2) Bug ====== In Crysis the packet with type 0x08 is the disconnection packet and is composed by an additional 8bit field which specifies the type of error message and the textual message which, depending by its type, is displayed directly in the server's console. Although it's a "disconnection" packet it's enough to send a join request (even invalid and with a wrong cdkey) for enabling its handling and so without limitations for the attacker which can even spoof them. This little introduction to this type of packet is necessary only to explain one of the ways (or probably the only one because various other tests performed after the release of this advisory have ever given negative results so consider this format string related to the disconnection packet only) for exploiting a security vulnerability affecting the logging/display function of the game where the messages (previously built with a vsprintf_s for adding the timestamp) are passed to _vsnprintf without the necessary format argument: _vsnprintf(buffer, 4096, message); The resulted format string vulnerability leads to the immediate crash of the server and the "possible" (not verified) execution of code. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/crysisfs.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################