08 December 2018

Exploiting Steam Lobbies and Matchmaking [18 Sep 2014]

 

EXPLOITING STEAM LOBBIES AND MATCHMAKING

BY LUIGI AURIEMMA

Description of the security vulnerabilities that affected the Steam lobbies and all the games using the Steam Matchmaking functionalities.

Revision 1 

Introduction

STEAM

"Steam is an internet-based digital distribution, digital rights management, multiplayer, and communications platform developed by Valve Corporation. It is used to distribute games and related media from small, independent developers and larger software houses online." (link)

It's not easy to define Steam because it's not just a platform for buying games but also a social network, a market for game items, a framework for integrating various functionalities in games, an anti-cheat, a cloud and more.

But the most important and attractive feature, from a security point of view, is its incredible diffusion (link)(link).

MATCHMAKING AND LOBBIES

Steam offers a simple and efficient way to allow games to provide online multiplayer functionalities to their users by using Steam Matchmaking.

Steam Matchmaking can be compared to a chat server where any user can create his own room (the “lobby”) that will appear in a public online list and other players can join it. 

It’s possible to configure the lobby in various ways, for example adding custom parameters like name and game data, maximum number of joinable players, making it non-joinable or private or for friends only, sending chat messages, running a game server and more. 

The interaction with this matchmaking system is granted by the set of Steamworks APIs contained in the IsteamMatchmaking class, so any game can use this feature. 

Many games use the Steam lobbies for online gaming: Counter Strike Global Offensive, Left for Dead 1 and 2, Borderlands 2, Payday 2, the Codemasters games (Dirt, Grid and F1 series) and any multiplayer game sold on Steam that is not based on the Source engine or proprietary solutions. 

Steam Matchmaking gained some notoriety in the last years due to the “migration” performed by the developers/publishers of many games from a master server architecture, private or hosted by Gamespy, to the Steam one. This solution granted some of them to survive from the Gamespy shutdown of May 2014.



Steam lobbies and security risks

HOW THE STEAM LOBBIES WORK

In technical terms the concept of the Steam lobbies is quite simple:
  • An user starts a lobby (CreateLobby)
  • He sets some lobby parameters (SetLobbyData)
  • The other users can view the new lobby when they query the list of public lobbies (GetLobbyByIndex)
  • The users join the lobby (JoinLobby)
  • At this point joining the game server (which is separate from the Steam lobby) is game dependent, some games use SetLobbyGameServer, others get the lobby owner’s SteamID (GetLobbyOwner), others put that ID in a lobby parameter, others specify the IP and port of the server instead of the SteamID and so on
  • When the clients have the owner’s ID, they can join his game server using the Steam Networking API (SendP2Ppacket)
What is visualized in-game to the players is not different than any other “master server“-based game, additionally Steam automatically sorts the lobbies based on the geographic distance between the lobby’s owner and the user who requested the list to allow the quick-matchmaking feature (auto-joining servers with best ping and maybe with players of same nationality). 



SECURITY TESTING AND EFFECTS

The vulnerabilities in the Steam Matchmaking have been found during a research commissioned by Epic Games regarding the third-party libraries and services used in their Unreal Engine 4

The tests have been started the 25th July 2014. 

Some issues were discovered with the following security effects:
  • Takeover of the lobby owned by other users
  • Forcing all the players in a lobby to leave it and joining an inexistent game server
  • Setting custom parameters of any lobby
  • Making any lobby not publicly visible
  • Performing these operations without even joining the lobby


The main effect of these vulnerabilities, affecting the Steam back-end network, is that an attacker can deny the online gaming of several known and played multiplayer games with a simple and silent attack performed in a couple of seconds.

VULNERABLE VERSIONS

The Steam back-end network that handles the lobbies was vulnerable till the 17th September 2014.

NON-VULNERABLE VERSIONS

Currently all the reported issues have been fixed.
An undefined number of old games has been left vulnerable (“whitelisted”) due to how they implement the Steam Matchmaking, probably because their P2P oriented gaming requires that any user can act as co-owner of the lobby. For these games may be released game-related patches in future if necessary.
No further details are available.



Description of the issues

SETLOBBYGAMESERVER DENIAL OF SERVICE

Joining a game server, after having joined a lobby, is a game-dependent operation. 


Steamworks in its SpaceWar example game, used to show to the game developers how to implement the Steamworks API, suggests to use the SetLobbyGameServer API and automatically joining the server upon the execution of a specific callback.

When that API is executed Steam sends an event to all the users in the target lobby that will execute the LobbyGameCreated_t callback and adds the following lobby parameters:
  • __gameserverIP – IP address of the game server or 0
  • __gameserverPort – port of the game server or 0
  • __gameserverSteamID – SteamID of the user running the server or 0

Valve suggests that the default behavior is leaving the lobby and connecting to the game server:
//-----------------------------------------------------------------------------
// Purpose: A game created a game for all the members of the lobby to join,
//          as triggered by a SetLobbyGameServer()
//          it's up to the individual clients to take action on this; the usual
//          game behavior is to leave the lobby and connect to the specified game server
//-----------------------------------------------------------------------------

struct LobbyGameCreated_t
{
    enum { k_iCallback = k_iSteamMatchmakingCallbacks + 9 };

    uint64 m_ulSteamIDLobby;         // the lobby we were in
    uint64 m_ulSteamIDGameServer;    // the new game server that has been created or found for
                                     // the lobby members
    uint32 m_unIP;                   // IP & Port of the game server (if any)
    uint16 m_usPort;
};


That’s the default behavior that happens with SpaceWar, AlienSwarm, Borderlands 2 and some other games. 


That API can be called not only by the owner of the lobby but also by any other user that joins that lobby, this is the reason why this feature can be abused to force the other players to leave the lobby trying to join an arbitrary IP or SteamID. 


Performing this operation against all the available lobbies of an affected game, will result in the absence of online lobbies and in clients that try to connect to inexistent servers. In some games like Alien Swarm there are no visible effects for the owner of the lobby and other players, they will silently leave the lobby (that will be automatically deleted when left by the owner) but nothing is shown to the players.



TAKEOVER OF STEAM LOBBIES

Steamworks provides various ways to the users for controlling and customizing their lobbies:

- SetLobbyData and DeleteLobbyData
Adds, modifies and deletes the lobby parameters, for example “name”


- SetLobbyMemberLimit
Limits the amount of users who can join the lobby


- SetLobbyType
Allows to set the lobby as:
  • Private: invisible to the public list and to the friends
  • FriendsOnly: invisible to the public list, but visible to the friends
  • Public: default
  • Invisible: allows an user to join two lobbies 

SetLobbyJoinable
Allows to make the lobby non-joinable


- SetLobbyGameServer
The API seen before 


The following are some real examples of Steam lobbies taken from Borderlands 2, F1 2013, XCom-Enemy-Unknown and Payday 2, they are useful to understand better what are the lobby parameters:
lobby 109775241376664452 - 459508612 393216 8 1
  BuildUniqueString: BORDERLANDS2-1.8.3W
  CurrMission: 7
  CurrPlotMission: 7
  DlcFlag: 1
  DlcMapContentId: 0
  DlcMapPackageId: 0
  gameMode: 0
  HostExpLevel: 31
  IsPublic: 1
  OwningPlayerName: TRUCKERBOX
  PlayThrough: 1
  __gameserverIP: 0
  __gameserverPort: 0
  __gameserverSteamID: 765611981062*****

lobby 109775241376111944 - 458956104 393216 8 1
  268435458: 65365
  536870936: 0
  SteamLobbyGameMode: 0
  SteamLobbyGameType: 0
  SteamLobbyHostId: 765611980157*****
  SteamLobbyHostName: ICEMAN
  SteamLobbyOpenSlots: 15
  SteamLobbyVisibility: 0

lobby 109775241373641018 - 456485178 393216 8 1
  268435468: 0
  268435469: 0
  268435470: 90
  268435471: 10000
  268435472: 0
  268435474: 0
  268435488: 1724
  268435489: 28398179
  32779: 0
  553648128: 9212610293214#24968160127#
  bIsDedicated: False
  BotPlayerCount: 0
  bUsesStats: True
  GameSettings: XComOnlineGameSettingsDeathmatchRanked
  GameTags: XComMPLobbyGame
  MapName: XComShell
  MaxPlayerCount: 1
  NumOpenPrivateConnections: 0
  NumOpenPublicConnections: 1
  NumPrivateConnections: 0
  NumPublicConnections: 2
  OwningPlayerId: 765611980191*****
  OwningPlayerName: Kharon
  PasswordProtected: 0
  ServerName: Kharon
  SteamEngineVersion: 8916
  __gameserverIP: 0
  __gameserverPort: 0
  __gameserverSteamID: 900914655904*****

lobby 109775241376713535 - 459557695 393216 8 1
  difficulty: 5
  drop_in: 1
  job_class_max: 80
  job_class_min: 80
  job_id: 28
  kicking_allowed: 1
  level: 57
  lobby_type: public
  min_level: 0
  num_players: 1
  owner_id: 765611980432*****
  owner_name: rendoman
  payday2_v1.12.4: true
  permission: 1
  state: 3
  __gameserverIP: 0
  __gameserverPort: 0
  __gameserverSteamID: 765611980432*****

These APIs can be called by any user, not only the lobby owner and, moreover, they can use used even from outside the lobby. That means an attacker is able to silently delete any online lobby without even joining them and resulting in a multiplayer game without online matches to join.


The proof-of-concept

A proof-of-concept is available as reference for the issues:
Please note that the issues have been fixed and that proof-of-concept no longer works, except for the whitelisted games.

FAQ

What was the impact of these issues?
A single attacker, without particular network or bandwidth requirements, was able to make many multiplayer games unplayable online with zero lobbies/matches to which connecting. The attack was silent and performed in some seconds without even joining the target lobbies.


Were these issues critical?
Yes, without Steam lobbies it’s not possible to play online with many multiplayer games sold on Steam.


Are these issues fixed now?
Yes, all the issues have been definitely fixed the 17th September 2014.
Some old games have been left whitelisted by Valve due to backward compatibility (basically their multiplayer has been designed to work in that way) and so they may be still vulnerable “by design”.


Was the attack performed against the users’ computers?
No, the Steam lobbies are handled by the Steam back-end network.


Does the attacker need to own the target games to attack them?
It depends by the game, retrieving the list of online lobbies is an operation usually available to who owns the game but some games can be queried even from accounts that don’t own them.


Was/is the game X vulnerable?
There is a short list of some tested games in the Introduction section.
If you want to know if a game uses the Steam lobbies you can use some tools, while if you are interested to test it you can use the proof-of-concept provided in the previous section of this paper.



History

  • 25 Jul 2014 Security issues initially found
  • 04 Aug 2014 Vulnerabilities reported to Valve after more tests on various games
  • 12 Aug 2014 The APIs can be no longer called from outside the lobbies without joining
  • 23 Aug 2014 Some mitigations implemented by Valve, still possible to make lobbies private
  • 17 Sep 2014 After many e-mails all the remaining issues have been fixed, only the owners of the lobbies can perform operations on them

Steam Service Security [10 Jul 2014]

 

STEAM SERVICE SECURITY

BY LUIGI AURIEMMA

How a malware or an exploit can use the Steam local service to escalate its
privileges.
 
ReVuln Ltd.
http://revuln.com
@revuln
info@revuln.com

Revision 1

Introduction

STEAM

"Steam is an internet-based digital distribution, digital rights management, multiplayer, and communications platform developed by Valve Corporation. It is used to distribute games and related media from small, independent developers and larger software houses online." (link)

It's not easy to define Steam because it's not just a platform for buying games but also a social network, a market for game items, a framework for integrating various functionalities in games, an anti-cheat, a cloud and more.

But the most important and attractive feature, from a security point of view, is its incredible diffusion (link)(link).

STEAMSERVICE

In 2007 Valve introduced a new local Windows service in Steam for handling the tasks that require Administrator privileges and maintaining the main client process Steam.exe under the normal limited privileges of the current user.

This is a common practice adopted by many software developers moreover after Microsoft introduced the UAC technology from Windows Vista. In fact the secondary job of such service is avoiding to annoy the user with continuous Windows popups requiring the confirmation for using higher privileges.

The service is used also for monitoring the processes of the running games and it's part of Valve anti-cheat (VAC).

In Steam the local service that performs these operations is called "Steam Client Service", a Manual service with SYSTEM privileges. The service can be started by any user but it will terminate immediately if some requirements are not met.

The service is automatically started by Steam when launched and it remains active till Steam is working.

The "Steam Client Service" is a required component.

WHY IT’S INTERESTING

What's interesting about this service is that it can be abused by malicious programs (malware) for performing various tasks with high privileges and that's quite important considering that Steam is one of the most diffused software available.

VULNERABLE VERSIONS

Steam package versions: 1404163764
Steamservice.*: 2.30.30.94

NON-VULNERABLE VERSIONS

None.
As a personal project, this document has been released publicly without contacting Valve.

How Steamservice works

The service uses an IPC interface for communicating with the Steam process, the access to the interface is performed using events and shared memory. Named pipes were used in past versions.

Exist many ways to perform IPC and the following are the current steps for starting to communicate with the SteamService:
  • create a Global\Valve_SteamIPC_Class event
  • create a Steam3Master_SharedMemFile mapped file
  • create a Steam3Master_SharedMemLock event
  • launch the service, any user without privileges can do it
  • open the Global\SteamClientService_SharedMemLock event
  • open the Global\SteamClientService_SharedMemFile mapped file
  • take the handles from the structure located on the mapped file
Note that such steps are necessary only if we use a stand-alone tool to access SteamService, so if Steam is already running we can inject our code in its process or we can just kill it and use the IPC or replace some Steam libraries and so on.

The service will verify that our process has the steam.exe name and that its own steamservice.dll shared library (C:\Program Files (x86)\Steam\bin\steamservice.dll) is correctly signed by Valve.

If steamservice.dll doesn't have a signature or it's signed with a different certificate, the service will terminate immediately.

No signature verification – DLL hijacking

THE ISSUE

The verification of the signature of steamservice.dll is performed for security reasons because the folder where is located the service executable cannot be modified by the user but the Steam folder used by the dll is fully writable and cannot be trusted.

But this check is completely useless because steamservice.dll depends by other libraries located in the Steam folder that are not verified at all and can be replaced by a malware to execute its code inside the service with SYSTEM privileges.

The following are the libraries that can be used by the malware:
  • crashhandler.dll
  • dbghelp.dll
  • tier0_s.dll
  • vstdlib_s.dll
  • dnsapi.dll (Windows dll searched in the local folder)
  • version.dll (Windows dll searched in the local folder)
  • winmm.dll (Windows dll searched in the local folder)
DLL hijacking is an issue which is quite common and it’s perfect to escalate privileges to SYSTEM, at this point a malware requires nothing else for its job.

TESTING

Testing this behaviour is very simple:
  • terminate Steam
  • create your own dll
  • copy your dll in the Steam folder with the name winmm.dll
  • start the service: sc start "Steam Client Service"
Example of custom winmm.dll executing cmd.exe as SYSTEM:


Abusing the service for privileged tasks

OUR GOAL

Even if it’s easy to execute the own code as SYSTEM with the previous design issue, this paper would like to focus on how it's possible to abuse a legitimate service without using security vulnerabilities and design issues. So let's take a look at what is possible to do with its features in a scenario in which DLL hijacking is not possible or should be avoided.

THE IPC INTERFACE

The IPC protocol is composed by some commands, the following are the functions of the main one:
  • IClientInstallUtils::SetUniverse
  • IClientInstallUtils::AddShortcut
  • IClientInstallUtils::RemoveShortcut
  • IClientInstallUtils::RemoveFromGameExplorer
  • IClientInstallUtils::AddRichSavedGames
  • IClientInstallUtils::RemoveRichSavedGames
  • IClientInstallUtils::AddToMediaCenter
  • IClientInstallUtils::RemoveFromMediaCenter
  • IClientInstallUtils::AddUninstallEntry
  • IClientInstallUtils::RemoveUninstallEntry
  • IClientInstallUtils::AddToFirewall
  • IClientInstallUtils::RemoveFromFirewall
  • IClientInstallUtils::RegisterSteamProtocolHandler
  • IClientInstallUtils::FixupSteamClientShortcuts
  • IClientInstallUtils::RunInstallScript
  • IClientInstallUtils::AddInstallScriptToWhiteList
  • IClientInstallUtils::GetInstallScriptExitCode
  • IClientModuleManager::LoadModule
  • IClientModuleManager::UnloadModule
  • IClientModuleManager::CallFunctionAsync
  • IClientModuleManager::CallFunction
  • IClientModuleManager::PollResponseAsync
  • IClientProcessMonitor::RegisterProcess
  • IClientProcessMonitor::UnregisterProcess
  • IClientProcessMonitor::TerminateProcess
  • IRegistryInterface::BGetValueUint
  • IRegistryInterface::BSetValueBin
  • IRegistryInterface::BDeleteValue
  • IRegistryInterface::BDeleteKey
  • IRegistryInterface::BKeyExists
  • IRegistryInterface::BSetValueStr
  • IRegistryInterface::BSetValueUint
  • IRegistryInterface::BGetSubKeys
  • IRegistryInterface::BGetValues
  • IRegistryInterface::BEnumerateKey
  • IRegistryInterface::BGetValueStr
  • IRegistryInterface::BGetValueBin
  • IRegistryInterface::BenumerateValue


THE EXPLOITABLE COMMANDS 

 

AddShortcut
It's used for placing a “link” file anywhere we desire, it’s commonly used by games for placing their links on the Desktop of all the users.
If there is an Administrator account in the system, it's possible to create a link to our malware in the Startup folder to automatically execute it with such privileges:
  • before Vista - c:\Documents and Settings\Administrator\Start Menu\Programs\Startup\evil.lnk
  • Vista/Win7/8 - c:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.lnk
When we call the command RemoveShortcut the extension of the link file must be ".lnk" but with AddShortcut we have no restrictions and so we can also use it to overwrite any file on the system deleting the original content. 

AddToFirewall
Function used for adding a firewall rule to allow a specific program to receive incoming TCP connections and UDP packets, a solution for giving network access to a malware.

TerminateProcess
It terminates any desired process by specifying its PID.

It can be used for terminating the privileged processes of  various defensive solutions, for example before downloading the malicious code that may be identified by them or to avoid logging and so on.

If we kill the lsass.exe process we will force the system to reboot, useful if we make certain changes to the registry and the filesystem. 

BSetValue*
Functions that write data in the registry but are limited by a set of whitelisted registry locations, so the service can write only under the registry keys listed in the file registrykeys.vdf.

This file is located in the Steam folder and so it's writable but it contains a digital signature "kvsignatures" at its end, this signature is verified by the service.

Even if there is such limitation it's still possible to have room for executing the own code with higher privileges when it's performed the manual uninstalling of software and in some cases during their updating.

One of the whitelisted keys is “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall" so we are able to set WindowsInstaller to zero and the UninstallString value with the path of our malware, and we can perform this operation for all the available registry entries with the effect of executing the malware automatically when one of them is uninstalled. 

RunInstallScript
This command is used together with AddInstallScriptToWhiteList for automatically executing executables decided by the installscript.vdf  script files  of the games, for example to install the necessary  pre-requisites like DirectX, VC runtime and so on (the interesting aspect is that these IPC commands are used by Steam only when it runs in “Big Picture” mode, instead normally the Steam application launches the steamservice.exe executable (so doesn’t interact with the service) using the /installscript argument and the user must confirm the privileged operation). 

AddInstallScriptToWhiteList adds the executables listed in the script, usually called installscript.vdf, into the whitelist and RunInstallScript executes them only if the same locations are used also in the runasadmin.vdf script.

The installation scripts have a digital signature and currently doesn’t seem possible to execute scripts that don’t have this field, but an attacker can use an already signed legit script to execute his own code located in any folder he desires.
In fact if we specify an unexistent game ID, Steam will consider the current folder as “installation folder” of the game allowing us to launch batch and executables located in any local and remote webdav/shared folder we desire.

The executables will have the same privileges of the Steam Service, SYSTEM.

Possible steps for an attacker

For the design issue related to the unverified libraries in the Steam folder it's enough to put our malware in the Steam folder with a specific filename and we will have SYSTEM privileges immediately after we start the "Steam Client Service". 

If this issue will be fixed or limited in future and we must rely on the features of the service, we may think to the following steps (remember that they are performed ever with SYSTEM privileges):
  • execute programs
  • use TerminateProcess to kill some antivirus processes, please note that this is not enough for defensive solutions that work via drivers 
  • download the core of the malware
  • use AddToFirewall to add a firewall rule for the malware
  • check if there is an Administrator account and use AddShortcut to put a link to the malware in its StartUp folder to automatically execute it when he will login
  • use the BSetValue* functions to perform the Uninstall trick and being able to execute the malware when a software will be uninstalled by the user
Other features of the service may be abused, those are just the main ones.


The proof-of-concept

A proof-of-concept tool has been created to test the IPC interface, the following are the links for the source code and the binary:
It’s a simple command-line tool called Steam.exe (necessary) that allows to call the service functions listed above and passing them any argument you desire, for example:
  • Steam.exe AddToFirewall "c:\windows\notepad.exe" "malicious_firewall_rule"
  • Steam.exe TerminateProcess 12345678
The tool works also with a text file containing the list of commands to execute, in the provided package there is an example called example_commands.ini which contains some example commands to test but please don’t use it if you have no idea of what it does, example:
  • Steam.exe example_commands.ini
There is also an archive called example_execution.zip which contains all the necessary files to execute a custom executable with SYSTEM privileges using the RunInstallScript function. You need to create a temporary partition or ramdisk on Z:\ for the quick test or you have to edit both the text files example_commands.ini and RunAsAdmin.vdf replacing z:\ with the full path you would like to use. 

Then launch “Steam.exe example_commands.ini” and you should see calc.exe spawning through a batch script, so you can easily edit the “Microsoft .NET Framework 4.0.cmd” script to execute what you desire. 

Please note that the IPC mechanism used in the tool is not complete and so the Steam Client Service process will remained freezed and you MUST kill it manually. This tool must be considered only a proof-of-concept.


FAQ

Is this issue a security vulnerability?
There is a design issue consisting in the missing verification of the signatures of the shared libraries loaded by the Steam Service that allows dll hijacking.
Additionally the service can be abused to perform various operations and launching executables as SYSTEM without using security vulnerabilities.

Can the service be accessed from remote?
No.

What operating systems are affected?
The issue is not dependent by the system, anyway both Windows 7 and Windows 8 have been tested.
On the operating system before Vista, like Windows XP, the Steam Client Service was not strictly necessary but Steam needs to have Administrator privileges in that case.

What's the main scenario for this issue?
It’s a typical post-exploitation scenario, for example a malware/exploit running with the privileges of the current limited user can abuse the Steam Service for gaining SYSTEM privileges or performing some operations with such high privileges with the target of hiding itself and remaining persistent in the system.

What can be done by a malware after it gets SYSTEM privileges?
It's possible to have full access to the Windows registry and the disk allowing the malware to hide itself and disabling any security software just like the Administrator account.

Is this issue critical?
No, but the huge diffusion of Steam and the possibility of becoming SYSTEM without security vulnerabilities or complex exploits and executing certain operations through a trusted service is quite interesting for a malware.

Do I need to have Steam or the Steam Client Service running on my computer for being vulnerable?
No, it's enough that Steam has been installed, doesn't matter when and if it's used or not.

What about SteamMachine and the Linux/MacOSX/PlayStation3 versions of Steam?
Sorry, they have not been tested.

How can Steam rebuild the registrykeys.vdf file?
When Steam is launched it automatically verifies all the local files and restores them by taking the original copies from the lzma compressed ZIP files located in the Package folder, that's why registrykeys.vdf is restored (and not rebuilt) by Steam everytime it gets modified.
Steam doesn't contain any private key or certificate.

Why SteamService.exe is located in both Steam\bin and Common Files\Steam?
The service is located in “C:\Program Files (x86)\Common Files\Steam” which is not writable by the normal limited user and it’s the exact copy of the one located in the bin folder of Steam. When the service runs it checks if there is a different steamservice.exe file in the bin folder (which is writable by the user), then checks the digital signature of that file and then executes it with the /Update argument. The update is executed with the same privileges of the service (SYSTEM), that’s why the new executable will be copied in the “Common Files\Steam” folder without user interaction, first as SteamServiceTmp.exe and then overwriting the original SteamService.exe.
That’s how the update process of the service works.

Have you reported these issues to Valve?
No.


History

  • Mar 2013 initial research on this topic
  • 01 Jun 2014 returned on the research to confirm the issues
  • 10 Jul 2014 public release

Steam Voip Security [04 Jul 2014]

 

STEAM VOIP SECURITY

BY LUIGI AURIEMMA

Overview and details about the security issues found in the Steam voice framework.

ReVuln Ltd.
http://revuln.com
@revuln
info@revuln.com

Revision 3

Steam and Steamworks


STEAM

Steam is the gaming platform developed by Valve Software and used by millions of players around the world to buy and play games, for multiplayer matchmaking and for its gaming-related social network.

STEAMWORKS API

The most interesting feature of Steam is its framework called Steamworks. It contains the APIs used by most of the games available on this platform for integrating the following main features:
  • Stats & Achievements
  • User Authentication & Ownership
  • Multiplayer Matchmaking
  • Community
  • DLC and Content
  • Peer-to-peer networking
  • Cloud
  • Anti-Cheat
  • Voice chat
  • DRM

The main aspect of the framework, from a security perspective, is it’s role in increasing the attack surface of the games that use its API and making them remotely exploitable through its security vulnerabilities.

Additionally the framework and its operations are completely transparent to the final user (the player) who doesn’t know what level of interaction is allowed from the other players or what are the external inputs that can be used to access and communicate with the framework.

The target of this security auditing has been just the Voice chat feature that allows the players to communicate via the voip system integrated in Steam and used on many games.

This research has been commissioned just by the developers of one of the games that use this Steamworks feature, Epic Games for the Unreal Engine 4

VULNERABLE VERSIONS

This security auditing has been performed black-box (no Steam source code available) against the current versions of Steam and Steamworks available at the moment of the work:
Steam package versions: 1401381906
Steamclient.dll: 2.25.32.45

NON-VULNERABLE VERSONS

Steam package versions: 1404163764
Steamclient.dll: 2.30.30.94
Fixes available in Steam from 03 Jul 2014.

SECURITY MEASURES USED IN THE AFFECTED CODE

Quick considerations about the vulnerable Steamclient.dll:
  • It supports DEP
  • It doesn’t support ASLR, which instead is supported by steamclient64.dll but is not used by Steam
  • It’s digitally signed
  • The functions affected by stack-related vulnerabilities do not use stack cookies

The voice chat

The VOIP framework available in Steamworks can be used in two ways:
  • As a voice chat with the Steam friends through the Steam chat interface
  • In-game with the games that support it
Using the voice chat in Steam requires that the other endpoint is one of our friends and he accepts the voice chat.


 
This sort of “restriction” doesn’t involve the games where, instead, any player can speak to the other people inside the same lobby or server, often the members of the same team for those games in which there are two or more teams.

Additionally there is no need to configure settings, when a player joins a lobby both his voice and the one of the other players are already active.

The following is an example of users speaking while playing the game Grid 2.


The own voice can be captured via push-to-talk or automatically while talking, it depends by the default settings of the game and in both the cases it’s necessary to have a certain level of input volume to activate the capturing, just like a squelch.

Receiving voice data is enabled by default on all the games and must be manually disabled or limited by the user if allowed by the game, for example in Grid 2 the game gives automatically “voice to all” everytime we join and change a lobby.

That means any user playing on the same server, lobby or team of the attacker will be targeted by any malicious voip data broadcasted by the attacker through the server or peer-to-peer.


Technical overview of the voice chat


STEAMCLIENT.DLL AND THE API

Technically the in-game voice chat works in the following way:
  • All the code necessary to handle the data is located in steamclient.dll and steamclient64.dll
  • This DLL is located in the Steam folder and a copy, got from the Steamworks framework used by the game, is located in the game folder
  • The game loads the DLL of the Steam folder
  • In this case the DLL works as a wrapper interfaced via IPC (events, shared memory and named pipes)  to the running Steam.exe process
  • So when the game calls an API, all the operation is executed inside the Steam.exe process through the steamclient.dll loaded in it (both Steam and the game use this DLL)
  • A security vulnerability in the API compromises Steam and causes the freezing of the game which is waiting a reply from the IPC interface
  • Steam offers some APIs to use its network code but it’s up to the game to use it or their own protocol to transmit and receive the audio data
The IsteamUser APIs that handle the voice data are very easy to use:
  • GetVoice for capturing and compressing the voice data from the microphone
  • DecompressVoice for decoding the received audio data in 16-bit, signed integer PCM format
What a game does is using its own protocol for sending and receiving the audio data without touching or modifying the content of the data generated by GetVoice or received from the network. The role of a server is just broadcasting the received data “as is” to the other clients. 

The clients call DecompressVoice on the received data to decode it.

There are no limitations about the size of the voip data, so it’s possible to use DecompressVoice with chunks of any size and it’s all up to the game. For example Unreal Engine 4 uses a buffer of 8192 bytes while Portal 2 and Counter Strike Global Offensive use 18432, Team Fortress 2 and Half-Life 2 use 2048 and all the others like SteamworksExample project and Grid 2 use 1024.

So, just to recap, if an attacker sends malformed voip data to the chat of a game, it’s Steam that will be exploited.

Please note that the Steam chat doesn’t use GetVoice API to capture the audio, but it uses DecompressVoice for decoding the incoming data and so it’s vulnerable to the vulnerabilities described in this paper.

DECOMPRESSVOICE

The DecompressVoice API is our target because the data sent by the other players is received and passed to this function “as is”. 

The following are the prototype and the comments from Steamworks:
// Decompresses a chunk of compressed data produced by GetVoice().
// nBytesWritten is set to the number of bytes written to pDestBuffer unless the return value is k_EvoiceResultBufferTooSmall.
// In that case, nBytesWritten is set to the size of the buffer required to decompress thegiven
// data. The suggested buffer size for the destination buffer is 22 kilobytes.
// The output format of the data is 16-bit signed at the requested samples per second.
// If you’re upgrading from an older Steamworks API, you’ll want to pass in 11025 to nDesiredSampleRate


virtual EvoiceResult DecompressVoice(
  const void *pCompressed,    < INPUT DATA
  uint32 cbCompressed,        < SIZE OF INPUT DATA
  void *pDestBuffer,          > OUTPUT BUFFER
  uint32 cbDestBufferSize,    > MAXIMUM SIZE OF OUTPUT BUFFER
  uint32 *nBytesWritten,      > DECODED BYTES WRITTEN
  uint32 nDesiredSampleRate   | STEAMWORKS LIMITS IT TO MAX 49000
) = 0;
Our input data is not just raw compressed audio data, it contains a header and opcodes with various fields.
The main header is composed by a 32bit field followed by three flags packed as bitfields:
typedef struct {
  uint32 id;
  uint32 flag1:20;
  uint32 flag2:4;
  uint32 flag3:8;

This header is followed by a sequence of opcodes called nPayloadType:


At the end of the data is located the 32bit CRC, a classical checksum calculated on the whole data before it. 

NPAYLOADTYPE 0

Arguments: uint16 samples

Used as a way to create silence by transmitting only the 16bit number containing the desired amount of samples to fill.

It uses the same function of nPayloadType 1, 3 and 4 by passing it an allocated buffer filled with zeroes used as input data and choosing the codec 3 (raw PCM).

The temporary buffer used by this function to contain the decompressed chunk is located on the stack and
has a size of 16428 bytes.

NPAYLOADTYPE 1, 3 AND 4

Arguments: uint16 samples followed by data

Type 1 is a codec no longer available, probably Miles.
Type 3 is the uncompressed 16bit PCM data, copied “as is” to the destination buffer.  
Type 4 is the Silk codec, the function performs its initialization using the default samplerate (11025) or the one specified by nPayloadType 11.

The Silk codec has been introduced in Steam since 2011 replacing Miles. Steam uses the SILK SDK provided by Skype.

These opcodes check the number of samples specified in the packet to avoid that what is specified is more than the data available in the chunk.

NPAYLOADTYPE 2

Arguments: none

End of voip data.

NPAYLOADTYPE 10

Arguments: uint8 bytes[2]

Unused.

NPAYLOADTYPE 11

Arguments: uint16 samplerate

Used for specifying the sample rate (the frequency in hertz) of the input data.


Security issues

STACK CONTROLLED CORRUPTION

By using nPayloadType 0 we can decide the 16bit size of an input buffer containing zeroes that will be copied directly in a stack buffer of 16428 bytes:

.text:00102291                 push    0
.text:00102293                 push    esi
.text:00102294                 push    0
.text:00102296                 lea     ecx, [ebp+var_14]
.text:00102299                 call    calloc_like
.text:0010229E                 lea     eax, [esi+esi]
.text:001022A1                 push    eax             ; size_t
.text:001022A2                 push    0               ; int
.text:001022A4                 push    [ebp+var_10]    ; void *
.text:001022A7                 call    _memset
...
; int __stdcall sub_101F30(void *, size_t, int, int)
.text:00101F30                 push    ebp
.text:00101F31                 mov     ebp, esp
.text:00101F33                 mov     eax, 402Ch      ; 16428
.text:00101F38                 call    __alloca_probe
...
.text:00101F8E                 mov     eax, [ebp+arg_8]
.text:00101F91                 push    edi
.text:00101F92                 mov     edi, ebx
.text:00101F94                 shr     edi, 1
.text:00101F96                 cmp     eax, 3
.text:00101F99                 jnz     short loc_101FEA
.text:00101F9B                 push    ebx             ; size_t
.text:00101F9C                 push    [ebp+arg_0]     ; void *
.text:00101F9F                 lea     eax, [ebp+var_402C]
.text:00101FA5                 push    eax             ; void *
.text:00101FA6                 call    _memmove_0


The problem is caused by the function that handles the data of the codec because it doesn’t check if the input data is bigger than the available stack buffer, resulting in a stack-based buffer-overflow.

The possibility of specifying the exact number of zeroes to write on the stack and the lack of stack cookies, allow an attacker to modify the lower part of the saved addresses, for example by using “(16428 – 0x4) / 2” as number of samples.

Anyway code execution doesn’t seem possible on the Windows version we tested.


STACK-BASED BUFFER-OVERFLOW (GAME DEPENDENT)

There is also a  way to exploit the previous vulnerability using controlled content.

The only check performed by nPayloadType 1, 3 and 4 is related to the amount of samples and the size of the input data, but there are no checks performed by the function seen before.
So if a game can receive an audio chunk of more than 16428 bytes, it’s possible to exploit the relative stack-based buffer-overflow using the provided data. The Steamworks documentation recommends to use a buffer of 8 kilobytes or larger for the compressed audio collected with GetVoice.

Portal 2 and Counter Strike Global Offensive are some of the games tested by us that support packets bigger than that stack buffer size, exactly 18432 bytes. Other games may be vulnerable too.


SAMPLERATE ENDLESS LOOP

With nPayloadType 11 we can set the desired sample rate of our audio data and it can be any number between 0 and 65535. If we set the sample rate to zero we are able to cause an endless loop in the following cycle:
.text:001024F0 ; int __stdcall sub_1024F0(int, int, double)
...
.text:00102523 loc_102523:                             ; CODE XREF: sub_1024F0+A8
.text:00102523                 fld     st
.text:00102525                 call    __ftol2_sse
.text:0010252A                 mov     esi, eax
.text:0010252C                 sub     esp, 8
.text:0010252F                 movsx   ecx, word ptr [ebx+esi*2]
.text:00102533                 mov     [ebp+arg_4], ecx
.text:00102536                 fild    [ebp+arg_4]
.text:00102539                 fstp    [ebp+var_18]
.text:0010253C                 fstp    [esp+34h+var_34] ; double
.text:0010253F                 call    _floor
.text:00102544                 fsubr   [ebp+var_8]
.text:00102547                 movsx   eax, word ptr [ebx+esi*2+2]
.text:0010254C                 add     esp, 8
.text:0010254F                 mov     [ebp+arg_4], eax
.text:00102552                 fild    [ebp+arg_4]
.text:00102555                 fstp    [ebp+var_10]
.text:00102558                 fld     [ebp+var_10]
.text:0010255B                 fld     [ebp+var_18]
.text:0010255E                 fsub    st(1), st
.text:00102560                 fxch    st(2)
.text:00102562                 fmulp   st(1), st
.text:00102564                 faddp   st(1), st
.text:00102566                 call    __ftol2_sse
.text:0010256B                 movzx   eax, ax
.text:0010256E                 lea     ecx, [edi+30h]
.text:00102571                 mov     [ebp+arg_0], eax
.text:00102574                 lea     eax, [ebp+arg_0]
.text:00102577                 push    2               ; int
.text:00102579                 push    eax             ; void *
.text:0010257A                 call    sub_399FD0
.text:0010257F                 fld     [ebp+var_8]
.text:00102582                 fadd    [ebp+arg_8]
.text:00102585                 add     dword ptr [edi+7D5Ch], 2
.text:0010258C                 fst     [ebp+var_8]
.text:0010258F                 fld     [ebp+var_20]
.text:00102592                 fxch    st(1)
.text:00102594                 fcomi   st, st(1)
.text:00102596                 fstp    st(1)
.text:00102598                 jb      short loc_102523


The Steam process remains freezed with the assigned core of the CPU at 100% and must be killed from the Task Manager:


MEMORY CONSUMPTION

The first 32bit field of the voip header is used as an ID, and the Steam process allocates new resources everytime a new ID is parsed.

These resources remain allocated for all the time Steam is running and an attacker can saturate all the memory of the Steam process that is limited to less than 2 Gigabytes since it’s a 32bit program.

When there is no longer memory available for the process, Steam terminates with the following error message:



Security Impact

Considering the types of security issues found during this auditing, we think that no previous security assessment has been performed on such code.

The minimum risk derived from these issues is a Denial of Service affecting not only the Steam process but also the target game and any other game using the Steamworks API because all the Steamworks operation are handled by the Steam process.

Particularly interesting is the endless loop.
Code execution may be possible.

The most critical part of these issues is that it’s not needed to develop a proof-of-concept or an exploit specific for the target game.

In fact we created a very simple proof-of-concept consisting of a DLL that is injected in the running Steam.exe process and replaces the original GetVoice function (the one called via IPC) with ours that fills the buffer with the desired malformed data.

The result is that any game supporting the Steam voip can automatically exploit any remote player reachable by the malformed voip data.

The proof-of-concept for steamclient.dll 2.25.32.45 is available as source code and pre-compiled dll:
Read the header of steamute.c for information and details on how to use it.



FAQ

How much critical are these issues?
Denial of Service and possible code execution from remote without user interaction.
The issues affect the Steam process and, as side effect, cause a Denial of Service in the game.
A vulnerability exploitable inside the Steam process is much worst than one affecting the game due to the single target (Steam.exe) for tuning the own code and the amount of personal information and interaction possible through this platform in case of possible code execution.

Do I need to authorize a player to be vulnerable?
No, all the games automatically allow other players to send voice data, in some games the attacker must be in the same team of the victim.
Blacklisting or whitelisting a player is optional and may not be implemented in some games.

Do I need to have Steam running to be vulnerable?
Steam is launched automatically by the supported games.

Is it easy for an attacker to exploit these issue?
Our proof-of-concept consists of some lines of code injected in the Steam process and being able to test automatically any game that uses DecompressVoice.
So, yes, it’s very easy.
Additionally doesn’t matter if the game is compiled as 64bit because Steam is 32bit and so uses only steamclient.dll, not steamclient64.dll.

Why Steam crashes when I exploit these vulnerabilities?
That’s caused by how Steam and Steamworks operate: the APIs of Steamworks communicate with the Steam process via IPC so if you exploit these vulnerabilities when you are playing a game like Grid 2 the effect will be the crash of Steam.exe and the game no longer responding.

Is the game *** vulnerable?
All the games that rely on Steamworks for handling the voice data are vulnerable, and obviously also Steam itself through its integrated voice chat.
Currently we don’t have an exaustive list of games using such feature but some of the most played games we tested that use the DecompressVoice API are the following:
  • Half-Life 2 (basically any Valve game, with the only exception of DOTA 2)
  • Portal 2
  • Counter Strike: Global Offensive / Counter Strike / Counter Strike: Source / Garry’s Mod
  • Left for Dead 2
  • Team Fortress 2
  • Borderlands 2
  • Grid 2
  • Dirt 3 Showdown
  • the recent games of the Worms series
  • Unreal Engine 4

Is DOTA 2 vulnerable?
No, DOTA 2 doesn’t use the DecompressVoice API of Steamworks. 

I’m a game developer who uses Steamworks and my software uses many secure memory protections.
The role of the game is just passing the malformed audio data received from the network to the Steam.exe process via IPC so any memory protection inside the game is completely useless.

My game uses version *** of Steamworks, am I vulnerable?
The version of Steamworks used by the game doesn’t matter, the vulnerability is exploited in the steamclient.dll library loaded by the Steam.exe process.
Please check the “Vulnerable versions” section of this paper to know what’s the latest known version of steamclient.dll that is affected by these issues. The current version of Steam is fixed.


Changelog

  • 20 Jun 2014 vulnerabilities reported to Epic Games and then Valve
  • 25 Jun 2014 vulnerabilities fully fixed in Steam beta client
  • 03 Jul 2014 fixes implemented in the stable Steam client
  • 04 Jul 2014 public release of this document

Owning Render Farms via NVIDIA mental ray [10 Dec 2013]

 

OWNING RENDER FARMS

VIA NVIDIA MENTAL RAY

Luigi Auriemma and Donato Ferrante
ReVuln
http://revuln.com
info@revuln.com
http://twitter.com/revuln
10 December 2013

Abstract This paper details a vulnerability affecting NVIDIA mental ray, which allows an attacker to take control over a mental ray based render farm.



1 INTRODUCTION

NVIDIA mental ray "is a feature rich, high performance 3D rendering software that creates images of outstanding quality and unsurpassed realism based on advanced ray tracing techniques. It enables artists to create any imaginable visual effect by combining advanced global illumination with full programmability. Used by industry professionals for over 25 years, mental ray has become a standard for photorealistic rendering across the film, visual effects, and design industries."

Figure 1: NVIDIA mental ray applications

NVIDIA mental ray is used in several contexts, including but not limited to:
  • Visual Effects
  • Feature Animation
  • Game Creation
  • Architectural Design
  • Product Prototyping and Design
  • CAD visualization
NVIDIA mental ray has been used in the moviemaker industry for several titles, including:
  • Hulk
  • The Matrix Reloaded
  • The Matrix Revolutions
  • Star Wars Episode II: Attack of the Clones
  • The Day After Tomorrow
  • Poseidon

 

 

 

 2 WHAT IS A RENDER FARM?

A render farm is a group of networked computers (slaves) devoted to rendering images, used typically in the production of computer-animated films.
Figure 2: An example of render farm

To get a better idea on how powerful render farms are, a nice description can be found on Tom’s Hardware: "render farms [..]are banks of machines with the express purpose of rendering finished frames. In addition to the systems that animators use, render farms simultaneously use many dedicated processors for rendering. For instance, Industrial Light and Magic had a render farm with 5,700 processor cores (and 2,000 cores in their artists’ machines) when Transformers 2 was produced. Even a small facility with only a dozen animators is likely to have more than a hundred processor cores at their disposal".


3 NVIDIA MENTAL RAY

From the official page: "NVIDIA mental ray is embedded into several content creation applications widely used in the media entertainment and design industries.
It is also available as a standalone product for rendering on a render farm, and as a library for integration into custom applications"
. NVIDIA mental ray supports several platforms including: Windows, Linux and MacOS. Some of the applications using mental ray, include:
  • AutoDesk 3ds Max
  • AutoDesk Maya
The NVIDIA mental ray component is a system service, which runs on Windows based systems with SYSTEM privileges:


Figure 3: NVIDIA mental ray service privileges

The service waits for incoming connections on the TCP port: 7520 (this port might be different for older versions of the software):

Figure 4: NVIDIA mental ray service port


4 VULNERABILITY

There is a vulnerability affecting NVIDIA mental ray (raysat) version 3.11.1.10, which allows a malicious user to load arbitrary DLLs on a victim system, thus an attacker can take control over a whole render farm by simply injecting a malicious remote library. To trigger the remote vulnerability an attacker needs to send a malicious packet to the affected host (slave).

Figure 5: The malicious packet

As a side note, we noticed that the service spawns a new process for each new connection, which means that an attacker has potentially infinite chances to achieve a successful exploitation.


5 POST-EXPLOITATION

An interesting aspect of this technology is that it’s used on render farms. A render farm is composed of a computer cluster using very powerful hardware, which usually includes powerful GPUs such as the ones based on the TESLA family.

One of the possible scenarios to exploit this computational power is to reuse such farms to perform password cracking. If you are not familiar with password cracking, this strategy "is the process of recovering passwords from data that have been stored in or transmitted by a computer system. A common approach (brute-force attack) is to repeatedly try guesses for the password".

Figure 6: Owning a render farm

Since password cracking can be optimized on GPUs (link)(link)(link), what about using a render farm to play with Rainbow tables or mining some Bitcoin ?


6 A POSSIBLE ATTACK SCENARIO

The following image shows one of the possible attack scenarios, in which an attacker initially gets access to one of the systems available into the victim network, and then the attacker exploits the vulnerability affecting NVIDIA mental ray to get control over the render farm.

Figure 7: Possible attack scenario


7 FAQ

Q1. Did you report the issue to the Vendor?
- No.

Q2. Are the previous versions of the software affected by the same issue?
- Yes.

Q3. Are the 32-bit and 64-bit version of the software both affected by the same issue?
- Yes.

Q4. Is there any other scenario in which an attacker can use the issue?
- Yes, for example in a privilege escalation scenario.

Q5. Is this the only issue affecting this software?
- No, there are other issues, including a stack-based buffer overflow triggered via sscanf, in detail: sscanf(input, "%05d %05d %05d %05d %05d %05d %05d %s", ...). This issue is unlikely to be exploitable as there is not only DEP and ASLR, but also a limitation on the packet size.


8 REVISION HISTORY

  • 10 December 2013: Version 1.0 released.

Game Engines: A 0-Day's Tale [20 May 2013]

 

GAME ENGINES:

A 0-DAY’STALE

ReVuln
17 May 2013

Abstract This paper details several issues affecting different game engines. All the vulnerabilities discussed in this paper are 0-days, at time of writing. This paper has been released as a companion paper along with the authors’ talk Exploiting Game Engines For Fun And Profit presented at the NoSuchCon conference.


1 BREACH

From Wikipedia: "Breach is a team-based first-person shooter multiplayer video game developed by Atomic Games. It was announced on March 26, 2010 at PAX East 2010 for Windows PCs and the Xbox 360. Breach was distributed online for the Xbox 360 by Xbox Live Arcade, and on Windows by Steam. It features dynamic destructible environments and a cover system". Breach is based on the game engine: Hydrogen Engine.


Figure 1: Breach

1.1 OVERVIEW

There are four different issues affecting the Hydrogen Engine, two of them are related to Index Numbers. Please refer to our presentation slides for additional information about this strategy to optimize data-representation.

1.2 INDEX NUMBERS OFF-BY-TWO

The engine uses index numbers for storing numbers inside the packets. This solution is adopted to save space since only a part of the 64-bit number is transmitted. The functions (BreachServer+0x6992b0, BreachServer+0x698f90) that read the index numbers are affected by an off-by-two stack based overflow caused by the support of 80-bit numbers against a 64-bit buffer.
00 A992B0 SUB ESP ,0 C
00 A992B3 MOV ECX , DWORD PTR SS :[ ESP +14]
[ ... ]
00 A9936F CMP ESI ,50
00 A99372 JB BreachServer.00A992D1

1.3 32-BIT VARIABLES USED AS INDEX NUMBERS

Some of the functions that call the previous functions for reading the index numbers pass 32-bit variables located on the stack and it’s possible to overflow them by writing 64-bit values.
00 A992B0 SUB ESP ,0 C
00 A992B3 MOV ECX , DWORD PTR SS :[ ESP +14]
00 A992B7 PUSH EBX
00 A992B8 PUSH EBP
00 A992B9 PUSH ESI
00 A992BA XOR ESI , ESI
00 A992BC XOR EBP , EBP
00 A992BE PUSH EDI
00 A992BF OR EAX , FFFFFFFF
00 A992C2 MOV DWORD PTR SS :[ ESP +14], ESI
00 A992C6 MOV DWORD PTR SS :[ ESP +18], ESI
00 A992CA MOV DWORD PTR DS :[ ECX ] , ESI
00 A992CC MOV DWORD PTR DS :[ ECX +4], ESI
00 A992CF MOV BL ,1
00 A992D1 TEST EAX , EAX
00 A992D3 JE BreachServer.00A99378
00 A992D9 MOV ECX , DWORD PTR SS :[ ESP +20]
00 A992DD MOV EAX , DWORD PTR DS :[ ECX ] ; ctrl ’d via overflow
00 A992DF MOV EAX , DWORD PTR DS :[ EAX +54]
00 A992E2 PUSH 5
00 A992E4 LEA EDX , DWORD PTR SS :[ ESP +17]
00 A992E8 PUSH EDX
00 A992E9 CALL EAX ; read 5 bits (code execution )
[ .. ] ; copy them in EDI
00 A99363 INC ESI
00 A99364 ROL AL ,1
00 A99366 MOV BL , AL
00 A99368 MOVZX EAX , CL
00 A9936B INC EBP
00 A9936C AND EAX ,10 ; i f 5 bits & 0x10 continue
00 A9936F CMP ESI ,50
00 A99372 JB BreachServer.00A992D1

1.4 REALLOCATION INTEGER OVERFLOW

The following function is used to reallocate buffers and read packet contents. The function optimizes the reading of small blocks of data by using a stack buffer of 64 bytes and it’s possible to overflow it by specifying the size 0x7fffffff to which 1 is added to bypass a signed comparison:
004 D6D32 MOV EAX , DWORD PTR SS :[ ESP +10] ; our 32−bit size
004 D6D36 TEST EAX , EAX
004 D6D38 JGE SHORT BreachServer.004D6D55
004 D6D3A MOV DWORD PTR SS :[ ESP +90],−1
004 D6D45 LEA ECX , DWORD PTR SS :[ ESP +14]
004 D6D49 CALL BreachServer.00A98E20
004 D6D4E XOR EAX , EAX
004 D6D50 JMP BreachServer.004D6E01
004 D6D55 INC EAX ; +1
004 D6D56 PUSH EAX
004 D6D57 LEA ECX , DWORD PTR SS :[ ESP +18]
004 D6D5B CALL BreachServer.00A98CA0 ; realloc function
[ ... ]
00 A98CA0 PUSH ESI
00 A98CA1 PUSH EDI
00 A98CA2 MOV EDI , DWORD PTR SS :[ ESP + C ]
00 A98CA6 CMP EDI ,40
00 A98CA9 MOV ESI , ECX
00 A98CAB JG SHORT BreachServer.00A98CC3 ; signed comparison

1.5 DOUBLE FREE

There is a double-free vulnerability affecting the following code:
004 D65D4 PUSH 8
004 D65D6 LEA EAX , DWORD PTR SS :[ ESP +20]
004 D65DA PUSH EAX
004 D65DB MOV ECX , ESI
004 D65DD CALL EDX ; read 8−bit size
[ ... ]
004 D65F6 JL SHORT BreachServer.004D6631 ; read data i f > 0
[ ... ]
004 D65FD CALL BreachServer.00A38470 ; allocation
[ ... ]
004 D6620 CALL EDX ; read
[ ... ]
004 D6635 CALL BreachServer.00A41530 ; strdup
[ ... ]
004 D6631 PUSH EDI
004 D6632 LEA ECX , DWORD PTR DS :[ EBX +44]
004 D6635 CALL BreachServer.00A41530
004 D663A TEST EDI , EDI
004 D663C JE SHORT BreachServer.004D6647
004 D663E PUSH EDI
004 D663F CALL BreachServer.00A384B0 ; free
004 D6644 ADD ESP ,4
004 D6647 MOV EDX , DWORD PTR DS :[ ESI ]
004 D6649 MOV EDX , DWORD PTR DS :[ EDX +54]
004 D664C PUSH 8
004 D664E LEA EAX , DWORD PTR SS :[ ESP +24]
004 D6652 PUSH EAX
004 D6653 MOV ECX , ESI
004 D6655 CALL EDX ; read 8−bit size
[ ... ]
004 D6662 JL SHORT BreachServer.004D66B2 ; read data i f > 0
[ ... ]
004 D66B2 PUSH EDI ; EDI has the old value
004 D66B3 LEA ECX , DWORD PTR DS :[ EBX +48]
004 D66B6 CALL BreachServer.00A41530
004 D66BB TEST EDI , EDI
004 D66BD JE SHORT BreachServer.004D66C8
004 D66BF PUSH EDI
004 D66C0 CALL BreachServer.00A384B0 ; double−free

2 UNREAL ENGINE 3

From Wikipedia: "The third and current generation of the Unreal Engine (UE3) is designed for DirectX (versions 9-11 for Windows and Xbox 360), as well as systems using OpenGL, including the PlayStation 3, OS X, iOS, Android, Stage 3D for Adobe Flash Player 11, JavaScript/WebGL, PlayStation Vita and Wii U. Its renderer supports many advanced techniques including HDRR, per-pixel lighting, and dynamic shadows. It also builds on the tools available in previous versions. In October 2011, the engine was ported to support Adobe Flash Player 11 through the Stage 3D hardware-accelerated APIs. Epic has used this version of the engine for their in-house games. Aggressive licensing of this iteration has garnered a great deal of support from many prominent licensees. Epic has announced that Unreal Engine 3 runs on both Windows 8 and Windows RT. In addition to the game industry, UE3 has also seen adoption by many non-gaming projects".


Figure 2: A game based on Unreal Engine 3

The following sections detail vulnerabilities affecting games based on the Unreal Engine 3.


3 MONDAY NIGHT COMBAT

From Wikipedia: "Monday Night Combat is a downloadable third-person shooter video game developed by Uber Entertainment. It was published by Microsoft Studios on the Xbox 360 and by Uber Entertainment and Valve Software for Microsoft Windows. It was released on August 11, 2010 on the Xbox 360 as part of Microsoft’s 2010 Xbox Live Summer of Arcade and is distributed through Xbox Live Arcade It was released on January 24, 2011 for Windows via Steam. [...]As of year-end 2011, Monday Night Combat has sold over 307,000 copies on Xbox Live Arcade".


Figure 3: Monday Night Combat

3.1 OVERVIEW

Monday Night Combat is based on Unreal Engine 3, and like other games supporting the Steam platform, this game supports some custom Steam related commands via Unreal Engine Control channel.

3.2 ARRAY OVERFLOW

There is an array overflow, which allows attackers to corrupt the heap and allow remote code execution. This problem relies on the way the engine implements some Steam commands.
00 A8B9DA MOVZX EAX , BYTE PTR SS :[ ESP +5 F ] ; SUBBLOB 8bit
00 A8B9DF MOV EDX , DWORD PTR DS :[ ESI +4 FD8 ]
00 A8B9E5 LEA EAX , DWORD PTR DS :[ EAX + EAX ∗2]
00 A8B9E8 ADD EAX , EAX
00 A8B9EA ADD EAX , EAX
00 A8B9EC MOV ECX , DWORD PTR DS :[ EDX + EAX +4] ; ar[SUBBLOB][12]
00 A8B9F0 CMP ECX , EBP ; ECX must be 0 or 1
00 A8B9F2 JE SHORT MNCDS.00A8B9FD
00 A8B9F4 DEC ECX
00 A8B9F5 CMP ECX , EBP
00 A8B9F7 JNZ MNCDS.00A8B8FF
00 A8B9FD LEA ECX , DWORD PTR SS :[ ESP +28]
00 A8BA01 PUSH ECX
00 A8BA02 LEA ECX , DWORD PTR DS :[ EDX + EAX ] ; heap corruption
; w. AUTHBLOBSTRING
00 A8BA05 CALL MNCDS.00477FD0
00 A8BA0A LEA ECX , DWORD PTR SS :[ ESP +28]
00 A8BA0E MOV DWORD PTR SS :[ ESP +8 C0 ],−1
00 A8BA19 CALL MNCDS.006C7D70
00 A8BA1E JMP MNCDS.00A8C861


4 HOMEFRONT

From Wikipedia: "Homefront is a first-person shooter video game developed by Kaos Studios and published by THQ. Players are members of a resistance movement fighting against a near-future North Korean military occupation of the United States. It was released for Microsoft Windows, PlayStation 3 and Xbox 360 on March 15, 2011 in North America, March 17, 2011 in Australia, March 18, 2011 in Europe, and April 14, 2011 in Japan".


Figure 4: Homefront

4.1 OVERVIEW

Homefront is based on a customized version of the Unreal Engine 3, with RCON support.

4.2 INVALID READ ACCESS

The RCON command CT followed by 0x7fffffff triggers an invalid read access, while attempting to read the address 0x7fffffff.

4.3 NULL POINTER

The RCON command CD triggers a NULL pointer:
00 AFBD83 MOV EAX , DWORD PTR DS :[ ECX ]
00 AFBD85 MOV EDX , DWORD PTR DS :[ EAX +1 C ]
00 AFBD88 CALL EDX

4.4 16-BIT ADJACENT MEMORY OVERWRITE

The RCON command CT followed by a negative number, allows the setting of 16-bit adjacent memory to 0.
00 AFBECA MOV EDI , DWORD PTR SS :[ ESP +28] ; our size
00 AFBECE CMP EDI ,0 FF ; signed comparison
00 AFBED4 JLE SHORT HFDedica.00AFBEDB
00 AFBED6 MOV EDI ,0 FF
00 AFBEDB MOV EDX , DWORD PTR SS :[ ESP +24]
00 AFBEDF LEA ECX , DWORD PTR DS :[ EDI +1]
00 AFBEE2 PUSH ECX
00 AFBEE3 SHL EAX ,9
00 AFBEE6 PUSH EDX
00 AFBEE7 LEA EAX , DWORD PTR DS :[ EAX + ESI +28]
00 AFBEEB PUSH EAX
00 AFBEEC CALL HFDedica.0045F7F0 ; wcsncpy_s
00 AFBEF1 MOV ECX , DWORD PTR DS :[ ESI +10228]
00 AFBEF7 SHL ECX ,8
00 AFBEFA XOR EAX , EAX
00 AFBEFC ADD ECX , EDI
00 AFBEFE XOR EDX , EDX
00 AFBF00 ADD ESP ,0 C
00 AFBF03 CMP DWORD PTR SS :[ ESP +2 C ] , EAX ; dst [ size ∗2] = 0
00 AFBF07 MOV WORD PTR DS :[ ESI + ECX ∗2+28], DX

4.5 STACK-BASED OVERFLOW

The RCON command CT followed by a negative number, can be used to trigger a stack-based overflow:
00 B03490 MOV EAX , DWORD PTR DS :[ EAX +100]
00 B03496 LEA EDX , DWORD PTR DS :[ ESI +1]
00 B03499 PUSH EDX ; our size + 1
00 B0349A PUSH EAX ; our string
00 B0349B LEA EAX , DWORD PTR SS :[ ESP +140]
00 B034A2 PUSH EAX ; stack buffer
00 B034A3 MOV DWORD PTR SS :[ ESP +950],2
00 B034AE CALL HFDedica.0045F7F0 ; wcsncpy_s


5 THE HAUNTED: HELLS REACH

From the Steam store: "The Haunted is a fast paced third person action horror game that focuses on delivering an intense multiplayer experience. Your goal is to liberate cursed places and survive the assault from the minions of Hell. The game features several multiplayer modes such as co-op survival, demons vs. humans and demonizer".


Figure 5: The Haunted: Hells Reach

5.1 OVERVIEW

The Haunted doesn’t use the standard Unreal Engine 3 protocol. In this protocol there are some opcodes that allow attackers to perform a denial of service attack against the victim’s systems.

5.2 OUTOFMEMORY VIA CUSTOM OPCODES

There are three opcodes, with the following formats:
  • 0x16 [32-bit size]
  • 0x1b [32-bit size]
  • 0x1c [32-bit size]
These opcodes can be used to invoke the VirtualAlloc function with arbitrary 32-bit values. Since VirtualAlloc returns NULL when trying to allocate a 0-byte buffer, it’s not possible to use this vulnerability to as an integer overflow. However it’s possible to shutdown the server immediately by requesting allocations from 0xfffff001 to 0xffffffff bytes by triggering an Out Of Memory condition.



6 SANCTUM

From Wikipedia: "Sanctum is a first-person shooter tower defense video game, developed by independent developer Coffee Stain Studios. It has been available for pre-purchase via Steam for Microsoft Windows since March 24, 2011. The successor, Sanctum 2 was announced in 2012 and is set for release summer 2013".


Figure 6: Sanctum

6.1 OVERVIEW

Sanctum doesn’t use the standard Unreal Engine 3 protocol. In this protocol there are some opcodes that allow attackers to perform attacks against the victim’s systems.
  • 0x13 [32-bit size]
  • 0x18 [32-bit size]
  • 0x19 [32-bit size]

6.2 OUTOFMEMORY VIA CUSTOM OPCODES

If VirtualAlloc fails, then the following code is reached:
01693367 53 PUSH EBX
01693368 68 5818 F101 PUSH OFFSET 01 F11858 ; " Core "
0169336 D 8 D4424 18 LEA EAX ,[ ESP +18]
01693371 68 DCD72902 PUSH OFFSET 0229 D7DC ; "OutOfMemory"
01693376 50 PUSH EAX
01693377 895 C24 1 C MOV DWORD PTR SS :[ ESP +1 C ] , EBX
0169337 B E8 1017 E1FE CALL 004 A4A90

6.3 MEMSET-ZERO VIA CUSTOM OPCODES

00448300 8 B5424 08 MOV EDX , DWORD PTR SS :[ ESP +8]
00448304 8 B01 MOV EAX , DWORD PTR DS :[ ECX ]
00448306 8 B40 08 MOV EAX , DWORD PTR DS :[ EAX +8]
00448309 03 D2 ADD EDX , EDX ; value ∗ 8
0044830 B 03 D2 ADD EDX , EDX
0044830 D 03 D2 ADD EDX , EDX
0044830 F 895424 08 MOV DWORD PTR SS :[ ESP +8], EDX
00448313 FFE0 JMP EAX
...
00457000 53 PUSH EBX ; ReadBits
00457001 8 B5C24 08 MOV EBX , DWORD PTR SS :[ ESP +8]
00457005 56 PUSH ESI
00457006 57 PUSH EDI
00457007 8 B7C24 14 MOV EDI , DWORD PTR SS :[ ESP +14]
0045700 B 8 D47 07 LEA EAX ,[ EDI +7] ; value + 7
0045700 E C1F8 03 SAR EAX ,3 ; ( signed ) value / 8
00457011 50 PUSH EAX
00457012 6 A 00 PUSH 0
00457014 53 PUSH EBX
00457015 8 BF1 MOV ESI , ECX
00457017 E8 D2878001 CALL < JMP. & MSVCR100.memset >

For example, if size equals 0x11223344:
  • value =0x11223344
  • value * 8 =0x89119a20
  • value +7=0x89119a27
  • value /8=0xf1223344


7 IDTECH 4

From Wikipedia: "id Tech 4, popularly known as the Doom 3 engine, is a game engine developed by id Software and first used in the video game Doom 3. The engine was designed by John Carmack, who also created previous engines such as those for Doom and Quake, which are also widely recognized as marking significant advances in the field. This OpenGL-based game engine has also been used in Quake 4, Prey, Enemy Territory: Quake Wars, Wolfenstein and Brink".


Figure 7: A game based on idTech 4 engine

The engine exposes a function named idBitMsg::ReadData, which can be used to achieve remote code execution against games using customized version of this engine. Some games, including DOOM3 are not affected by this issue. However, others such as Enemy Territory: Quake Wars and Brink, are affected due to customizations to the original idTech 4 engine. The idBitMsg::ReadData function is defined as follows (code from DOOM3 GPL source code):
int idBitMsg :: ReadData ( void ∗ data , int length ) const {
  int cnt ;
  ReadByteAlign () ;
  cnt = readCount ;
  if ( readCount + length > curSize ) {
    if ( data ) {
      memcpy ( data , readData + readCount , GetRemaingData () ) ;
    }
    readCount = curSize ;
  } else {
    if ( data ) {
      memcpy ( data , readData + readCount , length ) ;
    }
    readCount += length ;
  }
  return ( readCount − cnt ) ;
}


8 ENEMY TERRITORY: QUAKE WARS

From Wikipedia: "Enemy Territory: Quake Wars (ET:QW) is a tactical shooter video game, and is a prequel to events in Quake II. [..]Quake Wars features similar gameplay to Wolfenstein: Enemy Territory, but with the addition of controllable vehicles and aircraft as well as multiple AI deployables, asymmetric teams, much larger maps and the option of computer-controlled bot opponents. Unlike the previous Enemy Territory games, Quake Wars is a commercial release rather than a free download. Enemy Territory: Quake Wars was developed by Splash Damage using a modified version of id Software’s id Tech 4 engine with MegaTexture rendering technology. It was released for Microsoft Windows, Linux, Mac OS X, PlayStation 3 and Xbox 360. The game received mostly positive reviews upon release, although it received some criticism on consoles".


Figure 8: Enemy Territory: Quake Wars

8.1 OVERVIEW

The function idBitMsg::ReadData exposed by the engine is exploitable by attackers to execute code remotely on victim game clients.



9 BRINK

From Wikipedia: "Brink is a first-person shooter video game developed by Splash Damage for Microsoft Windows, PlayStation 3 and Xbox 360. It was released in North America on 10 May 2011, in Australia on 12 May, in Europe on 13 May and in Japan on 16 August. Brink has Steamworks integration, including Valve Anti-Cheat. It runs on id Tech 4 and has an updated rendering framework with improved support for multiple CPU cores. Brink is a first-person shooter with a focus on parkour-style movement. Online multiplayer servers hold up to 16 players; players can play cooperatively or competitively, or against artificially-intelligent bots.
Despite the game having received negative to mixed reviews, Brink has reportedly sold 2.5 million copies to date".


Figure 9: Brink

9.1 OVERVIEW

The function idBitMsg::ReadData exposed by the engine is exploitable by attackers to execute code remotely on victim game servers.

9.2 ENDLESS LOOP

There is a endless loop condition, which can be triggered by exploiting the behavior of the ReadBits function, which is defined as:
  • Function input: number of bits to read from the given stream
  • Function output: a N-bit number
  • Note: in case of any error the function returns -1


With the above function logic, an attacker can quickly perform a denial of service attack by abusing the following code. Please note that the return value is not checked properly when the ReadBits function returns.
0070 BDB0 PUSH EBX
0070 BDB1 PUSH ESI
0070 BDB2 PUSH EDI
0070 BDB3 MOV EDI , ECX
0070 BDB5 XOR ESI , ESI
0070 BDB7 PUSH 10 ; Arg1 = 10
0070 BDB9 MOV DWORD PTR DS :[ EDI +18], ESI
0070 BDBC CALL ReadBits ; brink.ReadBits
0070 BDC1 MOV EBX , DWORD PTR SS :[ ESP +10]
0070 BDC5 MOVZX EAX , AX ; assign return value to wchar_t
0070 BDC8 CMP EAX ,−1
0070 BDCB JE SHORT 0070 BDF5
0070 BDCD PUSH EBP
0070 BDCE MOV EBP , DWORD PTR SS :[ ESP +18]
0070 BDD2 TEST AX , AX
0070 BDD5 JZ SHORT 0070 BDF4
0070 BDD7 LEA ECX ,[ EBP −1]
0070 BDDA CMP ESI , ECX
0070 BDDC JGE SHORT 0070 BDE3
0070 BDDE MOV WORD PTR DS :[ ESI ∗2+ EBX ] , AX
0070 BDE2 INC ESI
0070 BDE3 PUSH 10 ; Arg1 = 10
0070 BDE5 MOV ECX , EDI
0070 BDE7 CALL ReadBits ; brink.ReadBits
0070 BDEC MOVZX EAX , AX
0070 BDEF CMP EAX ,−1
0070 BDF2 JNE SHORT 0070 BDD2
0070 BDF4 POP EBP
0070 BDF5 XOR EDX , EDX
0070 BDF7 POP EDI
0070 BDF8 MOV WORD PTR DS :[ ESI ∗2+ EBX ] , DX
0070 BDFC MOV EAX , ESI
0070 BDFE POP ESI
0070 BDFF POP EBX
0070 BE00 RETN 8


10 QUAKE 4

From Wikipedia: "Quake 4 is the fourth title in the series of Quake first-person shooter computer games. The game was developed by Raven Software and published by Activision. Raven Software collaborated with id Software, the creators and historical developers of preceding Quake games. In this case, id Software supervised the development of the game as well as providing the Doom 3 engine, now referred to as "id Tech 4" and released under the GNU General Public License on 22 November 2011, upon which it was built."


Figure 10: Quake 4

10.1 OVERVIEW

The authors found a server-side stack-based overflow due to an incorrect handling of the GetInfo query packet.

10.2 GETINFO STACK-BASED OVERFLOW

The stack-based overflow is located in the following code. As you can see there are three nested loops, where an attacker can control the values used inside these loops. In order to exploit this vulnerability an attacker needs to spoof the IP of the packet to pretend that the packet has been sent from the Quake 4 Master Server (q4master.idsoftware.com).
10051 B30 PUSH EBP
10051 B31 MOV EBP , ESP
10051 B33 AND ESP , FFFFFFF8
10051 B36 PUSH −1
10051 B38 PUSH 10282 E07
10051 B3D MOV EAX , DWORD PTR FS :[0]
10051 B43 PUSH EAX
10051 B44 MOV DWORD PTR FS :[0] , ESP ; Installs SE handler
10051 B4B SUB ESP ,528
[ ... ]
10051 BB7 PUSH −10 ; Arg1 = −10
10051 BB9 MOV ECX , ESI
10051 BBB CALL ReadBits ; Quake4Ded.ReadBits (loop 1)
[ ... ]
10051 C06 PUSH −10 ; Arg1 = −10
10051 C08 MOV ECX , ESI
10051 C0A CALL ReadBits ; Quake4Ded.ReadBits (loop 2)
[ ... ]
10051 C31 PUSH −10 ; Arg1 = −10
10051 C33 MOV ECX , ESI
10051 C35 CALL ReadBits ; Quake4Ded.ReadBits (loop 3)
[ ... ]
10051 C50 MOV ECX , DWORD PTR SS :[ EBP +8]
10051 C53 PUSH 20 ; Arg1 = 20
10051 C55 CALL ReadBits ; Quake4Ded.ReadBits (our value )
10051 C5A MOV ECX , DWORD PTR DS :[102 F8404 ]
10051 C60 PUSH EAX
10051 C61 MOV DWORD PTR DS :[ EDI ] , EAX ; stack based
                                          ; buffer−overflow


11 CRYENGINE 3

From Wikipedia: "On March 11, 2009, Crytek announced that it would introduce CryEngine 3 at the 2009 Game Developers Conference, held from March 25 to March 27. The new engine was being developed for use on Microsoft Windows, PlayStation 3, Xbox 360, and Wii U. As for the PC platform, the engine is said to support development in DirectX 9, 10, and 11. As of June 1, 2009, it was announced that Crysis 2 would be developed by Crytek on their brand new engine.
CryEngine 3 was released on October 14, 2009.

On March 1, 2010, a new tech demo of the engine was released for the i3D 2010 symposium, which demonstrates ’Cascaded Light Propagation Volumes for Real Time Indirect Illumination’. On June 11, 2011, the Australian Defence Force revealed that Navy personnel would train on a virtual landing helicopter dock ship made using the CryEngine 3 software. As of July 1, 2011, the Mod SDK version of CryEngine 3 specifically to create custom maps, mods and content for Crysis 2 is available on Crytek’s website. Crytek also released a free-to-use version of the CryEngine for non-commercial game development. It was released as of August 17, 2011 under the name CryEngine 3 SDK.

Crytek announced on September 9, 2011 that they would be using CryEngine 3 to bring the original Crysis to consoles. It was released for Xbox Live and PlayStation Network on October 4, 2011".


Figure 11: CryEngine’s games tree


11.1 OVERVIEW

There are two vulnerabilities in CryEngine 3 due to improper handling of fragmented packets via CryEngine. For more information about fragmented packet issues, please refer to the authors’ presentation slides.

11.2 HEAP OVERFLOW VIA FRAGMENTED PACKETS

There is a heap overflow vulnerability, which can be triggered by sending a sequence of fragmented packets with opcode 0x93. By using this sequence an attacker is able to reach the following vulnerable code, and take control over the process execution:
39581 AC6 MOV EAX , DWORD PTR DS :[ EDI ]
39581 AC8 MOV EDX , DWORD PTR DS :[ ESI ]
39581 ACA AND EAX , FFFFFFFC
39581 ACD MOV ECX , DWORD PTR DS :[ EAX ]
39581 ACF AND EDX , FFFFFFFC
39581 AD2 MOV EDX , DWORD PTR DS :[ EDX ]
39581 AD4 CMP ECX , EDX
39581 AD6 JL 39581 B94
39581 ADC JNE SHORT 39581 B2F
39581 ADE LEA ECX ,[ ESP +4 C ]
39581 AE2 PUSH ECX
39581 AE3 LEA EDX ,[ EDI +4]
39581 AE6 PUSH EDX
39581 AE7 LEA ECX ,[ ESP +34]
39581 AEB MOV DWORD PTR SS :[ ESP +58], ESI
39581 AEF MOV DWORD PTR SS :[ ESP +34], OFFSET
39581 AF7 MOV DWORD PTR SS :[ ESP +38], OFFSET
39581 AFF MOV DWORD PTR SS :[ ESP +3 C ] , OFFSET
39581 B07 MOV EDX , DWORD PTR DS :[ EAX +10]
39581 B0A PUSH ECX
39581 B0B CALL EDX

11.3 MEMORY CORRUPTION VIA FRAGMENTED PACKETS

There is a integer overflow vulnerability, which can be triggered by using a truncated fragment packet, which has a packet size lesser than 4. By sending, for instance a 2-byte packet, the following vulnerable code can be reached:
395818 D7 MOV EDX , DWORD PTR DS :[ ESI ] ; packet size
395818 D9 ADD ECX , DWORD PTR DS :[ EBX +44]
395818 DC LEA EAX ,[ EDI + EAX +1 E ]
395818 E0 MOV EAX , DWORD PTR SS :[ EBP +10]
395818 E3 SUB EDX ,4
395818 E6 PUSH EDX ; /Arg3
395818 E7 ADD EAX ,4 ; |
395818 EA PUSH EAX ; |Arg2
395818 EB LEA ECX ,[ EDI + ECX +23] ; |
395818 EF PUSH ECX ; |Arg1
395818 F0 CALL < JMP. & MSVCR100.memcpy > ; \MSVCR100.memcpy


12 NEXUIZ

From Wikipedia: "Nexuiz is a free first-person shooter video game developed and published by Alientrap. The game and its media are released under the GNU General Public License (GPL). A remake, also called Nexuiz has been released for Steam and Xbox 360 using CryEngine 3. Version 1.0 of the original game was released on May 31, 2005. The current version, 2.5.2, was released on October 1, 2009. Nexuiz classic uses DarkPlaces engine, a significantly modified Quake engine".

Figure 12: Nexuiz

12.1 CONNECTIONSETUP INTEGER OVERFLOW

This vulnerability affects only Nexuiz, and the vulnerable code is the following:
395 E9FD4 CMP DWORD PTR SS :[ ESP +390],25 ; check packet size
395 E9FDC JNB SHORT CryNetwo.395E9FF4
[ ... ]
395 EA22D LEA EBP , DWORD PTR DS :[ ESI +2 D ] ; integer overflow
395 EA230 SUB ESI , EBP
395 EA232 ADD ESI , DWORD PTR SS :[ ESP +390]
[ ... ]
395 EA279 PUSH ESI ; /n
395 EA27A PUSH EBP ; |src
395 EA27B PUSH EBX ; |dest
395 EA27C CALL < JMP. & MSVCR100.memcpy > ; \memcpy

13 REVISION HISTORY

  • 17 May 2013: Version 1.0 released.