####################################################################### Luigi Auriemma Application: Star Wars Jedi Knight: Jedi Academy http://www.lucasarts.com/products/jediacademy/ Versions: <= 1.011 Platforms: Windows, Linux and Mac Bug: buffer-overflow during the visualization of big messages Exploitation: remote, versus server (in-game) Date: 02 Apr 2005 Author: Luigi Auriemma e-mail: aluigi autistici org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Jedi Academy is a first person shooter that uses the Quake 3 engine, it's developed by Raven Software (http://www.ravensoft.com) and has been released in September 2003. ####################################################################### ====== 2) Bug ====== The game is affected by a buffer-overflow in the visualization function called G_Printf(). This function uses a sprintf() with a local buffer of 1024 bytes where it stores the text to display in the console so if an attacker sends a big message (through the commands say and tell for example) the server calls G_Printf() for visualizing a string like the following example: say: NICKNAME: aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaaaaaaa\n The result is that an attacker could execute malicious code on the victim server. The only limitation is that this is an in-game bug so the attacker must have access to the server, if it's protected by password he must know the keyword. ####################################################################### =========== 3) The Code =========== - download the following file: http://aluigi.altervista.org/poc/jamsgbof.cfg - place it in the base folder of the game: GameData\base - start a client and a server - join the server - go into the client console (shift + ~) - type: /exec jamsgbof - the server will crash with the return address overwritten with 0x61616161 ####################################################################### ====== 4) Fix ====== No fix. The game "should" be no longer supported. #######################################################################
Games herd, please verify/advise.
i dont have a prob just punting the package if it really is unsupported (last release was in 2003) not like we can do anything about it other than bug upstream since it's closed source ;) and iirc, lucasarts generally doesnt respond to people ...
I vote to punt as well. Wolf?
Punt away
games: mask/remove as you see fit.
I removed games-server/jediacademy-ded from portage. What about games-server/jedioutcast-ded ? Does it use the same code base?
After a quick vote the games team decided to remove games-server/jedioutcast-ded as well. They're both gone. Security team, you may close at will.
Closed. Not used enough to justify a removal GLSA