[NT] Sacrifice Format String and Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Sacrifice Format String and Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Sacrifice is "a strategy game developed by <http://www.shiny.com> Shiny
Entertainment".

A format string and buffer overflow vulnerabilities discovered in game
Sacrifice allow remote attackers to cause the program to execute arbitrary
code.

DETAILS

Vulnerable Systems:
* Sacrifice version patch3 and prior

Format string everywhere:
The game uses a function in game3d.dll to builds the visualized text
strings on the screen. This is a graphic function and as such is used to
display ANY type of text, menu, chat, message, name, server... anything.
This function is affected by a format string caused by the wrong usage of
vsprintf() function.

Buffer overflow in chat:
An exploitable buffer-overflow vulnerability exists when the game receives
a message from the online chat (peerchat.gamespy.com) server. This bug is
caused by an arbitrary copy of the characters incoming through the message
until the character lower/equal to 0x20 (function GetWord() in share.dll)
is found in the incoming buffer. As the buffer to which the data is copied
is limited to only 256 bytes, an overflow can occur.

Proof of concept:
The easiest way to exploit these bugs is through the usage of a normal IRC
client, and entering into the channel #GSP!sacrifice which resides on the
server peerchat.gamespy.com and then sending the following messages:
Format string: %n%n%n
Buffer overflow:
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaEIPX

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/sacrifice-adv.txt>
http://aluigi.altervista.org/adv/sacrifice-adv.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.