####################################################################### Luigi Auriemma Application: S.T.A.L.K.E.R.: Clear Sky http://cs.stalker-game.com/en/ Versions: Clear Sky <= 1.5.10 (aka 1.0010) (Shadow of Chernobyl has not been tested) Platforms: Windows Bug: unhandled malloc exception Exploitation: remote, versus server Date: 22 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== S.T.A.L.K.E.R. is a famous FPS game series developed by GSC Game World (http://www.gsc-game.com) composed by Shadow of Chernobyl, Clear Sky and a new sequel (Call of Pripyat) not far from the release. ####################################################################### ====== 2) Bug ====== Like some other games, S.T.A.L.K.E.R. uses the Gamespy SDK and so also its cdkey authentication system which was explained for the first time in the following advisory: http://aluigi.org/adv/gshboom-adv.txt When the client sends its cdkey hash the server (well it's better to say the Gamespy code used in the server through xrGameSpy.dll) tries to build the \auth\ packet using _snprintf and performs some other operations which are resumed below: len = _snprintf( buffer, 512, "\\auth\\\\pid\\%d\\ch\\%s\\resp\\%s\\ip\\%d\\skey\\%d\\reqproof\\1\\", PID_NUMBER, CHALLENGE_STRING, CDKEY_HASH, // the one sent by the client CLIENT_IP, SKEY_NUMBER); char gamespy[] = "gamespy"; // xor buffer with the "gamespy" string for(int i = 0; i < len; i++) { buffer[i] ^= gamespy[i % 7]; } send(sock, buffer, len, 0, (struct sockaddr *)&peer, sizeof(struct sockaddr_in)); new_buffer = malloc(len); memmove(new_buffer, buffer, len); The problem is just in the lack of checks in this code, first because the return value of snprintf is not verified and so if the generated string is bigger than the output buffer it returns -1. Then the code tries to send the buffer to the Gamespy master server using the size of -1 bytes (and so it's not sent) and then we arrive to malloc which generates an exception because can't allocate 0xffffffff (-1) bytes (this is the behaviour choosed by the game which is linked to msvcr80.dll). The attacker needs to join the server for exploiting this vulnerability so if the server is protected by password he must know the right keyword. Although the bug is clearly in the Gamespy SDK (because in ANY case would happen a crash in memmove due to new_buffer which is a NULL pointer) at the moment S.T.A.L.K.E.R. seems the only game on which it's exploitable so it must be classified as a bug of this game... except if there will be updates in future. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/stalkazz.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################