TribesNext

Welcome, Guest. Please login or register.
Did you miss your activation email?


TribesNext >  TribesNext.com Forums >  Support >  Server Support >  Security Patch for Tribes 2 « previous next »
Pages: [1] Print
Author Topic: Security Patch for Tribes 2
Bahke
Nugget
Posts: 7

View Profile
July 15, 2018, 11:08:55 AM »
This patch fixes a serious remote code execution vulnerability in the network code of Tribes 2.
The vulnerability affects both the client and server.
If anybody wants proof that there is a problem, I can show how it is exploitable remotely. (I will only do this if asked to by the server owner)
To install the patch, put it in the scripts/autoexec folder.


https://dl-web.dropbox.com/s/dc15omwgqh1krij/security.cs

Thyth
Apotheosis Incarnate

Posts: 803

View Profile
1: July 16, 2018, 09:28:57 PM »
Code:
memPatch("A3C300","A370C3A300E8D609A0FF8B46205053E98103A0FF");
memPatch("A3C330","C70570C3A30000000000E8A109A0FF8B462085C0E96D03A0FF");
memPatch("A3C400","E80BFB9FFF6089C38B1570C3A300B8FF00000029D039C37D0661E92509A0FFA380C3A30061A180C3A300E91509A0FF");
memPatch("A3C430","E8DBFA9FFF6089C38B1570C3A300B8FF00000029D039C37D0661E9A009A0FFA380C3A30061A180C3A300E99009A0FF");
memPatch("43C68B","E970FC5F00");
memPatch("43C6AC","E97FFC5F00");
memPatch("43CD3F","E9BCF65F00");
memPatch("43CDEA","E941F65F00");

These patches seem to ensure that some vulnerable 256 byte buffer (or pair of buffers?) is not overflown? I haven't looked at these in the context of the code they're patching, but (to anyone uncertain) this is safe to use.

Given that the game was written in C++ almost 2 decades ago (thus not representing a paragon of secure software development practices), do you think there are other comparable issues exposed to the network processing code in the game, or is this the only one you think is reasonably plausible?

Sarcastic, narcissistic, genius, resurrecting the game with brilliant strokes of wizardry.
Bahke
Nugget
Posts: 7

View Profile
2: July 16, 2018, 11:21:14 PM »
This is almost certainly the only problem in Tribes2 that can be exploited for RCE.  I also created a pull request for Torque3D to fix the same problem.  There may be a few ways to crash a T2 server without RCE, but the only one I found was the Null command one which is already patched by cmdArmor
Bahke
Nugget
Posts: 7

View Profile
3: July 16, 2018, 11:24:36 PM »
There is one more problem that I experienced when having too many bots, but I still need to make a fix for that.  I made a temporary fix for it a while ago however it was buggy.
Pages: [1] Print 
« previous next »
Jump to:  

irc.quakenet.org / #TribesNext Powered by SMF  © Simple Machines
anything