Well I ran quake 2 (using Lithium mod V 1.24) under OllyDBG and it seems that the lithium II mod for quake 2 (latest PATCH 3.20) is parsing the '%' in nicks. My well crafted nickname '%999f%f%f%f%f' is being pushed onto the stack as 004144A1 |. 68 E821AF00 PUSH QUAKE2.00AF21E8 ; ASCII "0.000000 0.000000 0.000000" A huge real number. This expansion seems to be causing a stack overflow. I ran it on my test server and sure enough it crashes. I'm currently working on code executing and the ability to read any memory address. I contacted the creator of Lithium mod II , he still hasn't returned my emails. I found that any 'percent' in the nick is interpreted as 0.0000 you can use various combo's such as %d for int %c for a char. This is telling me that it's a format string vulnerability. This only works on lithium quake 2 server. It's manifested in the latest release V 1.24. Probably affects prior versions also. I am currently Reverse Engineering the mod to Get more info on this. Probably gonna take a while cause I'm at my mom's house with 8 people and one computer ;p The vuln lies in the code that updates the score (frags) when you die, the overflow will manifest. I will write a more detailed explanation on this after I finish RE'ing it. Regards, SinNULL More info on the vuln will be posted shortly. When I find some allocated time to work with.
