GAME ENGINES:
A 0-DAY’STALE
ReVuln
17 May 2013
Abstract This paper details several issues affecting different game engines. All the vulnerabilities discussed in this paper are 0-days, at time of writing. This paper has been released as a companion paper along with the authors’ talk Exploiting Game Engines For Fun And Profit presented at the NoSuchCon conference.
1 BREACH
From Wikipedia: "Breach is a team-based first-person shooter multiplayer video game developed by Atomic Games. It was announced on March 26, 2010 at PAX East 2010 for Windows PCs and the Xbox 360. Breach was distributed online for the Xbox 360 by Xbox Live Arcade, and on Windows by Steam. It features dynamic destructible environments and a cover system". Breach is based on the game engine: Hydrogen Engine.
Figure 1: Breach
1.1 OVERVIEW
There are four different issues affecting the Hydrogen Engine, two of them are related to Index Numbers. Please refer to our presentation slides for additional information about this strategy to optimize data-representation.1.2 INDEX NUMBERS OFF-BY-TWO
The engine uses index numbers for storing numbers inside the packets. This solution is adopted to save space since only a part of the 64-bit number is transmitted. The functions (BreachServer+0x6992b0, BreachServer+0x698f90) that read the index numbers are affected by an off-by-two stack based overflow caused by the support of 80-bit numbers against a 64-bit buffer.00 A992B0 SUB ESP ,0 C
00 A992B3 MOV ECX , DWORD PTR SS :[ ESP +14]
[ ... ]
00 A9936F CMP ESI ,50
00 A99372 JB BreachServer.00A992D1
1.3 32-BIT VARIABLES USED AS INDEX NUMBERS
Some of the functions that call the previous functions for reading the index numbers pass 32-bit variables located on the stack and it’s possible to overflow them by writing 64-bit values.00 A992B0 SUB ESP ,0 C
00 A992B3 MOV ECX , DWORD PTR SS :[ ESP +14]
00 A992B7 PUSH EBX
00 A992B8 PUSH EBP
00 A992B9 PUSH ESI
00 A992BA XOR ESI , ESI
00 A992BC XOR EBP , EBP
00 A992BE PUSH EDI
00 A992BF OR EAX , FFFFFFFF
00 A992C2 MOV DWORD PTR SS :[ ESP +14], ESI
00 A992C6 MOV DWORD PTR SS :[ ESP +18], ESI
00 A992CA MOV DWORD PTR DS :[ ECX ] , ESI
00 A992CC MOV DWORD PTR DS :[ ECX +4], ESI
00 A992CF MOV BL ,1
00 A992D1 TEST EAX , EAX
00 A992D3 JE BreachServer.00A99378
00 A992D9 MOV ECX , DWORD PTR SS :[ ESP +20]
00 A992DD MOV EAX , DWORD PTR DS :[ ECX ] ; ctrl ’d via overflow
00 A992DF MOV EAX , DWORD PTR DS :[ EAX +54]
00 A992E2 PUSH 5
00 A992E4 LEA EDX , DWORD PTR SS :[ ESP +17]
00 A992E8 PUSH EDX
00 A992E9 CALL EAX ; read 5 bits (code execution )
[ .. ] ; copy them in EDI
00 A99363 INC ESI
00 A99364 ROL AL ,1
00 A99366 MOV BL , AL
00 A99368 MOVZX EAX , CL
00 A9936B INC EBP
00 A9936C AND EAX ,10 ; i f 5 bits & 0x10 continue
00 A9936F CMP ESI ,50
00 A99372 JB BreachServer.00A992D1
1.4 REALLOCATION INTEGER OVERFLOW
The following function is used to reallocate buffers and read packet contents. The function optimizes the reading of small blocks of data by using a stack buffer of 64 bytes and it’s possible to overflow it by specifying the size 0x7fffffff to which 1 is added to bypass a signed comparison:004 D6D32 MOV EAX , DWORD PTR SS :[ ESP +10] ; our 32−bit size
004 D6D36 TEST EAX , EAX
004 D6D38 JGE SHORT BreachServer.004D6D55
004 D6D3A MOV DWORD PTR SS :[ ESP +90],−1
004 D6D45 LEA ECX , DWORD PTR SS :[ ESP +14]
004 D6D49 CALL BreachServer.00A98E20
004 D6D4E XOR EAX , EAX
004 D6D50 JMP BreachServer.004D6E01
004 D6D55 INC EAX ; +1
004 D6D56 PUSH EAX
004 D6D57 LEA ECX , DWORD PTR SS :[ ESP +18]
004 D6D5B CALL BreachServer.00A98CA0 ; realloc function
[ ... ]
00 A98CA0 PUSH ESI
00 A98CA1 PUSH EDI
00 A98CA2 MOV EDI , DWORD PTR SS :[ ESP + C ]
00 A98CA6 CMP EDI ,40
00 A98CA9 MOV ESI , ECX
00 A98CAB JG SHORT BreachServer.00A98CC3 ; signed comparison
1.5 DOUBLE FREE
There is a double-free vulnerability affecting the following code:004 D65D4 PUSH 8
004 D65D6 LEA EAX , DWORD PTR SS :[ ESP +20]
004 D65DA PUSH EAX
004 D65DB MOV ECX , ESI
004 D65DD CALL EDX ; read 8−bit size
[ ... ]
004 D65F6 JL SHORT BreachServer.004D6631 ; read data i f > 0
[ ... ]
004 D65FD CALL BreachServer.00A38470 ; allocation
[ ... ]
004 D6620 CALL EDX ; read
[ ... ]
004 D6635 CALL BreachServer.00A41530 ; strdup
[ ... ]
004 D6631 PUSH EDI
004 D6632 LEA ECX , DWORD PTR DS :[ EBX +44]
004 D6635 CALL BreachServer.00A41530
004 D663A TEST EDI , EDI
004 D663C JE SHORT BreachServer.004D6647
004 D663E PUSH EDI
004 D663F CALL BreachServer.00A384B0 ; free
004 D6644 ADD ESP ,4
004 D6647 MOV EDX , DWORD PTR DS :[ ESI ]
004 D6649 MOV EDX , DWORD PTR DS :[ EDX +54]
004 D664C PUSH 8
004 D664E LEA EAX , DWORD PTR SS :[ ESP +24]
004 D6652 PUSH EAX
004 D6653 MOV ECX , ESI
004 D6655 CALL EDX ; read 8−bit size
[ ... ]
004 D6662 JL SHORT BreachServer.004D66B2 ; read data i f > 0
[ ... ]
004 D66B2 PUSH EDI ; EDI has the old value
004 D66B3 LEA ECX , DWORD PTR DS :[ EBX +48]
004 D66B6 CALL BreachServer.00A41530
004 D66BB TEST EDI , EDI
004 D66BD JE SHORT BreachServer.004D66C8
004 D66BF PUSH EDI
004 D66C0 CALL BreachServer.00A384B0 ; double−free
2 UNREAL ENGINE 3
From Wikipedia: "The third and current generation of the Unreal Engine (UE3) is designed for DirectX (versions 9-11 for Windows and Xbox 360), as well as systems using OpenGL, including the PlayStation 3, OS X, iOS, Android, Stage 3D for Adobe Flash Player 11, JavaScript/WebGL, PlayStation Vita and Wii U. Its renderer supports many advanced techniques including HDRR, per-pixel lighting, and dynamic shadows. It also builds on the tools available in previous versions. In October 2011, the engine was ported to support Adobe Flash Player 11 through the Stage 3D hardware-accelerated APIs. Epic has used this version of the engine for their in-house games. Aggressive licensing of this iteration has garnered a great deal of support from many prominent licensees. Epic has announced that Unreal Engine 3 runs on both Windows 8 and Windows RT. In addition to the game industry, UE3 has also seen adoption by many non-gaming projects".
Figure 2: A game based on Unreal Engine 3
The following sections detail vulnerabilities affecting games based on the Unreal Engine 3.
3 MONDAY NIGHT COMBAT
From Wikipedia: "Monday Night Combat is a downloadable third-person shooter video game developed by Uber Entertainment. It was published by Microsoft Studios on the Xbox 360 and by Uber Entertainment and Valve Software for Microsoft Windows. It was released on August 11, 2010 on the Xbox 360 as part of Microsoft’s 2010 Xbox Live Summer of Arcade and is distributed through Xbox Live Arcade It was released on January 24, 2011 for Windows via Steam. [...]As of year-end 2011, Monday Night Combat has sold over 307,000 copies on Xbox Live Arcade".
Figure 3: Monday Night Combat
3.1 OVERVIEW
Monday Night Combat is based on Unreal Engine 3, and like other games supporting the Steam platform, this game supports some custom Steam related commands via Unreal Engine Control channel.3.2 ARRAY OVERFLOW
There is an array overflow, which allows attackers to corrupt the heap and allow remote code execution. This problem relies on the way the engine implements some Steam commands.00 A8B9DA MOVZX EAX , BYTE PTR SS :[ ESP +5 F ] ; SUBBLOB 8bit
00 A8B9DF MOV EDX , DWORD PTR DS :[ ESI +4 FD8 ]
00 A8B9E5 LEA EAX , DWORD PTR DS :[ EAX + EAX ∗2]
00 A8B9E8 ADD EAX , EAX
00 A8B9EA ADD EAX , EAX
00 A8B9EC MOV ECX , DWORD PTR DS :[ EDX + EAX +4] ; ar[SUBBLOB][12]
00 A8B9F0 CMP ECX , EBP ; ECX must be 0 or 1
00 A8B9F2 JE SHORT MNCDS.00A8B9FD
00 A8B9F4 DEC ECX
00 A8B9F5 CMP ECX , EBP
00 A8B9F7 JNZ MNCDS.00A8B8FF
00 A8B9FD LEA ECX , DWORD PTR SS :[ ESP +28]
00 A8BA01 PUSH ECX
00 A8BA02 LEA ECX , DWORD PTR DS :[ EDX + EAX ] ; heap corruption
; w. AUTHBLOBSTRING
00 A8BA05 CALL MNCDS.00477FD0
00 A8BA0A LEA ECX , DWORD PTR SS :[ ESP +28]
00 A8BA0E MOV DWORD PTR SS :[ ESP +8 C0 ],−1
00 A8BA19 CALL MNCDS.006C7D70
00 A8BA1E JMP MNCDS.00A8C861
4 HOMEFRONT
From Wikipedia: "Homefront is a first-person shooter video game developed by Kaos Studios and published by THQ. Players are members of a resistance movement fighting against a near-future North Korean military occupation of the United States. It was released for Microsoft Windows, PlayStation 3 and Xbox 360 on March 15, 2011 in North America, March 17, 2011 in Australia, March 18, 2011 in Europe, and April 14, 2011 in Japan".
Figure 4: Homefront
4.1 OVERVIEW
Homefront is based on a customized version of the Unreal Engine 3, with RCON support.4.2 INVALID READ ACCESS
The RCON command CT followed by 0x7fffffff triggers an invalid read access, while attempting to read the address 0x7fffffff.4.3 NULL POINTER
The RCON command CD triggers a NULL pointer:00 AFBD83 MOV EAX , DWORD PTR DS :[ ECX ]
00 AFBD85 MOV EDX , DWORD PTR DS :[ EAX +1 C ]
00 AFBD88 CALL EDX
4.4 16-BIT ADJACENT MEMORY OVERWRITE
The RCON command CT followed by a negative number, allows the setting of 16-bit adjacent memory to 0.00 AFBECA MOV EDI , DWORD PTR SS :[ ESP +28] ; our size
00 AFBECE CMP EDI ,0 FF ; signed comparison
00 AFBED4 JLE SHORT HFDedica.00AFBEDB
00 AFBED6 MOV EDI ,0 FF
00 AFBEDB MOV EDX , DWORD PTR SS :[ ESP +24]
00 AFBEDF LEA ECX , DWORD PTR DS :[ EDI +1]
00 AFBEE2 PUSH ECX
00 AFBEE3 SHL EAX ,9
00 AFBEE6 PUSH EDX
00 AFBEE7 LEA EAX , DWORD PTR DS :[ EAX + ESI +28]
00 AFBEEB PUSH EAX
00 AFBEEC CALL HFDedica.0045F7F0 ; wcsncpy_s
00 AFBEF1 MOV ECX , DWORD PTR DS :[ ESI +10228]
00 AFBEF7 SHL ECX ,8
00 AFBEFA XOR EAX , EAX
00 AFBEFC ADD ECX , EDI
00 AFBEFE XOR EDX , EDX
00 AFBF00 ADD ESP ,0 C
00 AFBF03 CMP DWORD PTR SS :[ ESP +2 C ] , EAX ; dst [ size ∗2] = 0
00 AFBF07 MOV WORD PTR DS :[ ESI + ECX ∗2+28], DX
4.5 STACK-BASED OVERFLOW
The RCON command CT followed by a negative number, can be used to trigger a stack-based overflow:00 B03490 MOV EAX , DWORD PTR DS :[ EAX +100]
00 B03496 LEA EDX , DWORD PTR DS :[ ESI +1]
00 B03499 PUSH EDX ; our size + 1
00 B0349A PUSH EAX ; our string
00 B0349B LEA EAX , DWORD PTR SS :[ ESP +140]
00 B034A2 PUSH EAX ; stack buffer
00 B034A3 MOV DWORD PTR SS :[ ESP +950],2
00 B034AE CALL HFDedica.0045F7F0 ; wcsncpy_s
5 THE HAUNTED: HELLS REACH
From the Steam store: "The Haunted is a fast paced third person action horror game that focuses on delivering an intense multiplayer experience. Your goal is to liberate cursed places and survive the assault from the minions of Hell. The game features several multiplayer modes such as co-op survival, demons vs. humans and demonizer".
Figure 5: The Haunted: Hells Reach
5.1 OVERVIEW
The Haunted doesn’t use the standard Unreal Engine 3 protocol. In this protocol there are some opcodes that allow attackers to perform a denial of service attack against the victim’s systems.5.2 OUTOFMEMORY VIA CUSTOM OPCODES
There are three opcodes, with the following formats:- 0x16 [32-bit size]
- 0x1b [32-bit size]
- 0x1c [32-bit size]
These opcodes can be used to invoke the VirtualAlloc function with arbitrary 32-bit values. Since VirtualAlloc returns NULL when trying to allocate a 0-byte buffer, it’s not possible to use this vulnerability to as an integer overflow. However it’s possible to shutdown the server immediately by requesting allocations from 0xfffff001 to 0xffffffff bytes by triggering an Out Of Memory condition.
6 SANCTUM
From Wikipedia: "Sanctum is a first-person shooter tower defense video game, developed by independent developer Coffee Stain Studios. It has been available for pre-purchase via Steam for Microsoft Windows since March 24, 2011. The successor, Sanctum 2 was announced in 2012 and is set for release summer 2013".
Figure 6: Sanctum
6.1 OVERVIEW
Sanctum doesn’t use the standard Unreal Engine 3 protocol. In this protocol there are some opcodes that allow attackers to perform attacks against the victim’s systems.- 0x13 [32-bit size]
- 0x18 [32-bit size]
- 0x19 [32-bit size]
6.2 OUTOFMEMORY VIA CUSTOM OPCODES
If VirtualAlloc fails, then the following code is reached:01693367 53 PUSH EBX
01693368 68 5818 F101 PUSH OFFSET 01 F11858 ; " Core "
0169336 D 8 D4424 18 LEA EAX ,[ ESP +18]
01693371 68 DCD72902 PUSH OFFSET 0229 D7DC ; "OutOfMemory"
01693376 50 PUSH EAX
01693377 895 C24 1 C MOV DWORD PTR SS :[ ESP +1 C ] , EBX
0169337 B E8 1017 E1FE CALL 004 A4A90
6.3 MEMSET-ZERO VIA CUSTOM OPCODES
00448300 8 B5424 08 MOV EDX , DWORD PTR SS :[ ESP +8]
00448304 8 B01 MOV EAX , DWORD PTR DS :[ ECX ]
00448306 8 B40 08 MOV EAX , DWORD PTR DS :[ EAX +8]
00448309 03 D2 ADD EDX , EDX ; value ∗ 8
0044830 B 03 D2 ADD EDX , EDX
0044830 D 03 D2 ADD EDX , EDX
0044830 F 895424 08 MOV DWORD PTR SS :[ ESP +8], EDX
00448313 FFE0 JMP EAX
...
00457000 53 PUSH EBX ; ReadBits
00457001 8 B5C24 08 MOV EBX , DWORD PTR SS :[ ESP +8]
00457005 56 PUSH ESI
00457006 57 PUSH EDI
00457007 8 B7C24 14 MOV EDI , DWORD PTR SS :[ ESP +14]
0045700 B 8 D47 07 LEA EAX ,[ EDI +7] ; value + 7
0045700 E C1F8 03 SAR EAX ,3 ; ( signed ) value / 8
00457011 50 PUSH EAX
00457012 6 A 00 PUSH 0
00457014 53 PUSH EBX
00457015 8 BF1 MOV ESI , ECX
00457017 E8 D2878001 CALL < JMP. & MSVCR100.memset >
For example, if size equals 0x11223344:
- value =0x11223344
- value * 8 =0x89119a20
- value +7=0x89119a27
- value /8=0xf1223344
7 IDTECH 4
From Wikipedia: "id Tech 4, popularly known as the Doom 3 engine, is a game engine developed by id Software and first used in the video game Doom 3. The engine was designed by John Carmack, who also created previous engines such as those for Doom and Quake, which are also widely recognized as marking significant advances in the field. This OpenGL-based game engine has also been used in Quake 4, Prey, Enemy Territory: Quake Wars, Wolfenstein and Brink".
Figure 7: A game based on idTech 4 engine
The engine exposes a function named idBitMsg::ReadData, which can be used to achieve remote code execution against games using customized version of this engine. Some games, including DOOM3 are not affected by this issue. However, others such as Enemy Territory: Quake Wars and Brink, are affected due to customizations to the original idTech 4 engine. The idBitMsg::ReadData function is defined as follows (code from DOOM3 GPL source code):
int idBitMsg :: ReadData ( void ∗ data , int length ) const {
int cnt ;
ReadByteAlign () ;
cnt = readCount ;
if ( readCount + length > curSize ) {
if ( data ) {
memcpy ( data , readData + readCount , GetRemaingData () ) ;
}
readCount = curSize ;
} else {
if ( data ) {
memcpy ( data , readData + readCount , length ) ;
}
readCount += length ;
}
return ( readCount − cnt ) ;
}
8 ENEMY TERRITORY: QUAKE WARS
From Wikipedia: "Enemy Territory: Quake Wars (ET:QW) is a tactical shooter video game, and is a prequel to events in Quake II. [..]Quake Wars features similar gameplay to Wolfenstein: Enemy Territory, but with the addition of controllable vehicles and aircraft as well as multiple AI deployables, asymmetric teams, much larger maps and the option of computer-controlled bot opponents. Unlike the previous Enemy Territory games, Quake Wars is a commercial release rather than a free download. Enemy Territory: Quake Wars was developed by Splash Damage using a modified version of id Software’s id Tech 4 engine with MegaTexture rendering technology. It was released for Microsoft Windows, Linux, Mac OS X, PlayStation 3 and Xbox 360. The game received mostly positive reviews upon release, although it received some criticism on consoles".
Figure 8: Enemy Territory: Quake Wars
8.1 OVERVIEW
The function idBitMsg::ReadData exposed by the engine is exploitable by attackers to execute code remotely on victim game clients.9 BRINK
From Wikipedia: "Brink is a first-person shooter video game developed by Splash Damage for Microsoft Windows, PlayStation 3 and Xbox 360. It was released in North America on 10 May 2011, in Australia on 12 May, in Europe on 13 May and in Japan on 16 August. Brink has Steamworks integration, including Valve Anti-Cheat. It runs on id Tech 4 and has an updated rendering framework with improved support for multiple CPU cores. Brink is a first-person shooter with a focus on parkour-style movement. Online multiplayer servers hold up to 16 players; players can play cooperatively or competitively, or against artificially-intelligent bots.Despite the game having received negative to mixed reviews, Brink has reportedly sold 2.5 million copies to date".
Figure 9: Brink
9.1 OVERVIEW
The function idBitMsg::ReadData exposed by the engine is exploitable by attackers to execute code remotely on victim game servers.9.2 ENDLESS LOOP
There is a endless loop condition, which can be triggered by exploiting the behavior of the ReadBits function, which is defined as:- Function input: number of bits to read from the given stream
- Function output: a N-bit number
- Note: in case of any error the function returns -1
With the above function logic, an attacker can quickly perform a denial of service attack by abusing the following code. Please note that the return value is not checked properly when the ReadBits function returns.
0070 BDB0 PUSH EBX
0070 BDB1 PUSH ESI
0070 BDB2 PUSH EDI
0070 BDB3 MOV EDI , ECX
0070 BDB5 XOR ESI , ESI
0070 BDB7 PUSH 10 ; Arg1 = 10
0070 BDB9 MOV DWORD PTR DS :[ EDI +18], ESI
0070 BDBC CALL ReadBits ; brink.ReadBits
0070 BDC1 MOV EBX , DWORD PTR SS :[ ESP +10]
0070 BDC5 MOVZX EAX , AX ; assign return value to wchar_t
0070 BDC8 CMP EAX ,−1
0070 BDCB JE SHORT 0070 BDF5
0070 BDCD PUSH EBP
0070 BDCE MOV EBP , DWORD PTR SS :[ ESP +18]
0070 BDD2 TEST AX , AX
0070 BDD5 JZ SHORT 0070 BDF4
0070 BDD7 LEA ECX ,[ EBP −1]
0070 BDDA CMP ESI , ECX
0070 BDDC JGE SHORT 0070 BDE3
0070 BDDE MOV WORD PTR DS :[ ESI ∗2+ EBX ] , AX
0070 BDE2 INC ESI
0070 BDE3 PUSH 10 ; Arg1 = 10
0070 BDE5 MOV ECX , EDI
0070 BDE7 CALL ReadBits ; brink.ReadBits
0070 BDEC MOVZX EAX , AX
0070 BDEF CMP EAX ,−1
0070 BDF2 JNE SHORT 0070 BDD2
0070 BDF4 POP EBP
0070 BDF5 XOR EDX , EDX
0070 BDF7 POP EDI
0070 BDF8 MOV WORD PTR DS :[ ESI ∗2+ EBX ] , DX
0070 BDFC MOV EAX , ESI
0070 BDFE POP ESI
0070 BDFF POP EBX
0070 BE00 RETN 8
10 QUAKE 4
From Wikipedia: "Quake 4 is the fourth title in the series of Quake first-person shooter computer games. The game was developed by Raven Software and published by Activision. Raven Software collaborated with id Software, the creators and historical developers of preceding Quake games. In this case, id Software supervised the development of the game as well as providing the Doom 3 engine, now referred to as "id Tech 4" and released under the GNU General Public License on 22 November 2011, upon which it was built."
Figure 10: Quake 4
10.1 OVERVIEW
The authors found a server-side stack-based overflow due to an incorrect handling of the GetInfo query packet.10.2 GETINFO STACK-BASED OVERFLOW
The stack-based overflow is located in the following code. As you can see there are three nested loops, where an attacker can control the values used inside these loops. In order to exploit this vulnerability an attacker needs to spoof the IP of the packet to pretend that the packet has been sent from the Quake 4 Master Server (q4master.idsoftware.com).10051 B30 PUSH EBP
10051 B31 MOV EBP , ESP
10051 B33 AND ESP , FFFFFFF8
10051 B36 PUSH −1
10051 B38 PUSH 10282 E07
10051 B3D MOV EAX , DWORD PTR FS :[0]
10051 B43 PUSH EAX
10051 B44 MOV DWORD PTR FS :[0] , ESP ; Installs SE handler
10051 B4B SUB ESP ,528
[ ... ]
10051 BB7 PUSH −10 ; Arg1 = −10
10051 BB9 MOV ECX , ESI
10051 BBB CALL ReadBits ; Quake4Ded.ReadBits (loop 1)
[ ... ]
10051 C06 PUSH −10 ; Arg1 = −10
10051 C08 MOV ECX , ESI
10051 C0A CALL ReadBits ; Quake4Ded.ReadBits (loop 2)
[ ... ]
10051 C31 PUSH −10 ; Arg1 = −10
10051 C33 MOV ECX , ESI
10051 C35 CALL ReadBits ; Quake4Ded.ReadBits (loop 3)
[ ... ]
10051 C50 MOV ECX , DWORD PTR SS :[ EBP +8]
10051 C53 PUSH 20 ; Arg1 = 20
10051 C55 CALL ReadBits ; Quake4Ded.ReadBits (our value )
10051 C5A MOV ECX , DWORD PTR DS :[102 F8404 ]
10051 C60 PUSH EAX
10051 C61 MOV DWORD PTR DS :[ EDI ] , EAX ; stack based
; buffer−overflow
11 CRYENGINE 3
From Wikipedia: "On March 11, 2009, Crytek announced that it would introduce CryEngine 3 at the 2009 Game Developers Conference, held from March 25 to March 27. The new engine was being developed for use on Microsoft Windows, PlayStation 3, Xbox 360, and Wii U. As for the PC platform, the engine is said to support development in DirectX 9, 10, and 11. As of June 1, 2009, it was announced that Crysis 2 would be developed by Crytek on their brand new engine.CryEngine 3 was released on October 14, 2009.
On March 1, 2010, a new tech demo of the engine was released for the i3D 2010 symposium, which demonstrates ’Cascaded Light Propagation Volumes for Real Time Indirect Illumination’. On June 11, 2011, the Australian Defence Force revealed that Navy personnel would train on a virtual landing helicopter dock ship made using the CryEngine 3 software. As of July 1, 2011, the Mod SDK version of CryEngine 3 specifically to create custom maps, mods and content for Crysis 2 is available on Crytek’s website. Crytek also released a free-to-use version of the CryEngine for non-commercial game development. It was released as of August 17, 2011 under the name CryEngine 3 SDK.
Crytek announced on September 9, 2011 that they would be using CryEngine 3 to bring the original Crysis to consoles. It was released for Xbox Live and PlayStation Network on October 4, 2011".
Figure 11: CryEngine’s games tree
11.1 OVERVIEW
There are two vulnerabilities in CryEngine 3 due to improper handling of fragmented packets via CryEngine. For more information about fragmented packet issues, please refer to the authors’ presentation slides.11.2 HEAP OVERFLOW VIA FRAGMENTED PACKETS
There is a heap overflow vulnerability, which can be triggered by sending a sequence of fragmented packets with opcode 0x93. By using this sequence an attacker is able to reach the following vulnerable code, and take control over the process execution:39581 AC6 MOV EAX , DWORD PTR DS :[ EDI ]
39581 AC8 MOV EDX , DWORD PTR DS :[ ESI ]
39581 ACA AND EAX , FFFFFFFC
39581 ACD MOV ECX , DWORD PTR DS :[ EAX ]
39581 ACF AND EDX , FFFFFFFC
39581 AD2 MOV EDX , DWORD PTR DS :[ EDX ]
39581 AD4 CMP ECX , EDX
39581 AD6 JL 39581 B94
39581 ADC JNE SHORT 39581 B2F
39581 ADE LEA ECX ,[ ESP +4 C ]
39581 AE2 PUSH ECX
39581 AE3 LEA EDX ,[ EDI +4]
39581 AE6 PUSH EDX
39581 AE7 LEA ECX ,[ ESP +34]
39581 AEB MOV DWORD PTR SS :[ ESP +58], ESI
39581 AEF MOV DWORD PTR SS :[ ESP +34], OFFSET
39581 AF7 MOV DWORD PTR SS :[ ESP +38], OFFSET
39581 AFF MOV DWORD PTR SS :[ ESP +3 C ] , OFFSET
39581 B07 MOV EDX , DWORD PTR DS :[ EAX +10]
39581 B0A PUSH ECX
39581 B0B CALL EDX
11.3 MEMORY CORRUPTION VIA FRAGMENTED PACKETS
There is a integer overflow vulnerability, which can be triggered by using a truncated fragment packet, which has a packet size lesser than 4. By sending, for instance a 2-byte packet, the following vulnerable code can be reached:395818 D7 MOV EDX , DWORD PTR DS :[ ESI ] ; packet size
395818 D9 ADD ECX , DWORD PTR DS :[ EBX +44]
395818 DC LEA EAX ,[ EDI + EAX +1 E ]
395818 E0 MOV EAX , DWORD PTR SS :[ EBP +10]
395818 E3 SUB EDX ,4
395818 E6 PUSH EDX ; /Arg3
395818 E7 ADD EAX ,4 ; |
395818 EA PUSH EAX ; |Arg2
395818 EB LEA ECX ,[ EDI + ECX +23] ; |
395818 EF PUSH ECX ; |Arg1
395818 F0 CALL < JMP. & MSVCR100.memcpy > ; \MSVCR100.memcpy
12 NEXUIZ
From Wikipedia: "Nexuiz is a free first-person shooter video game developed and published by Alientrap. The game and its media are released under the GNU General Public License (GPL). A remake, also called Nexuiz has been released for Steam and Xbox 360 using CryEngine 3. Version 1.0 of the original game was released on May 31, 2005. The current version, 2.5.2, was released on October 1, 2009. Nexuiz classic uses DarkPlaces engine, a significantly modified Quake engine".
Figure 12: Nexuiz
12.1 CONNECTIONSETUP INTEGER OVERFLOW
This vulnerability affects only Nexuiz, and the vulnerable code is the following:395 E9FD4 CMP DWORD PTR SS :[ ESP +390],25 ; check packet size
395 E9FDC JNB SHORT CryNetwo.395E9FF4
[ ... ]
395 EA22D LEA EBP , DWORD PTR DS :[ ESI +2 D ] ; integer overflow
395 EA230 SUB ESI , EBP
395 EA232 ADD ESI , DWORD PTR SS :[ ESP +390]
[ ... ]
395 EA279 PUSH ESI ; /n
395 EA27A PUSH EBP ; |src
395 EA27B PUSH EBX ; |dest
395 EA27C CALL < JMP. & MSVCR100.memcpy > ; \memcpy
13 REVISION HISTORY
- 17 May 2013: Version 1.0 released.
No comments:
Post a Comment