92 lines
No EOL
2.6 KiB
Text
92 lines
No EOL
2.6 KiB
Text
# Original Advisory: http://aluigi.org/adv/fearless-adv.txt
|
|
#
|
|
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Lithtech engine
|
|
http://www.lithtech.com
|
|
Games: any game should be affected, refer to
|
|
http://en.wikipedia.org/wiki/Lithtech#Lithtech_implementations
|
|
those personally tested by me are:
|
|
F.E.A.R. <= 1.08
|
|
F.E.A.R. 2 Project Origin <= 1.05
|
|
http://www.whatisfear.com
|
|
Platforms: Windows and Mac
|
|
Bug: memory corruption
|
|
Exploitation: remote, versus server
|
|
Date: 20 Jul 2010
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
Lithtech is the well known game engine developed by Monolith and used
|
|
in various famous games like Alien vs Predator 2, No One Lives Forever
|
|
and the F.E.A.R. series.
|
|
Currently the first episode of F.E.A.R. is the most played online of
|
|
the games based on the Lithtech engine.
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
I premise that I haven't performed a deep research on the vulnerability
|
|
and I have focused my tests mainly on F.E.A.R. although after a quick
|
|
test has been confirmed the same/similar problem on other games that
|
|
use protocol 2 of the Lithtech engine like No One Lives Forever 2.
|
|
|
|
Through a malformed packet is possible to corrupt the memory of the
|
|
game with effects that seem to suggest the possibility for an attacker
|
|
to do something more than the crashing of the server.
|
|
Indeed the problem affects some function pointers so it's not excluded
|
|
the possibility to have a certain control over them and the code flow
|
|
remotely.
|
|
|
|
No other technical details are available at the moment.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/fearless.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14424.zip (fearless.zip)
|
|
|
|
tuned to work with the F.E.A.R. series, so Project Origin included.
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |