Luigi Auriemma

Hi alugi,

Great tools you have here :), but I do have 1 question with your latest advisory for Call of Duty 4 ( Patch 1.6 )

Located here: http://aluigi.altervista.org/adv/cod4vamap-adv.txt

I was successful in terminating one of our test servers tonight by use of the command in console: " /exec cod4va ", and than I was kicked for the below screen shot reason:

http://img47.imageshack.us/my.php?image=problemdt1.jpg

I tried to rejoin another server ( under a different name ) and test the same command out.. At the bottom of the screen it would say:

" Unknown cmd aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "
I tried this on a few other servers with no luck.

Can you explain why this maybe doing this?

Any help would be great, thank you! :)

the first error you see in that image is normal, means that it's all ok and the server is terminated (the process is still running but the server not).

Instead about the other problem I can think to a mod or maybe a patch (the code is the same of cod2 and cod1, in fact I'm going to release my patch for cod4 just in this moment).

Thank you for the fast reply, I will try to use your new patched version of Call of Duty 4 and report back to you asap :)

Edit*: I tested out the application, and it worked fine on our two test servers, making the two servers terminate immediately, and still are down.. ( waiting for our game server provider to restart them )

However, on a 3rd attempt on a random server, I got this funny message at the bottom:

http://img73.imageshack.us/my.php?image=problem2nz4.jpg

All weird symbols and numbers - I received this message on a few other servers so I thought I would post it here with you.

very strange, seems like it visualize uninitialized data.
Can you open cod4va.cfg with a text editor and using a string of 'a's which is 2 or 4 times longer than the current one?
I think nothing changes but trying could help.

Then do you know if these servers on which you have noticed this strange effect use some non-standard configuration like mods or other stuff?

As far as I know the servers did not have any mods, they were just normal.. Our two test servers were TDM , and the random 3rd was a HQ server.

It seemed to work fine, but it will stop working almost immediately.

Here is a screenshot of my folder:

http://img185.imageshack.us/my.php?imag ... em3uy1.jpg

Let me know if I need to change anything.

Does this type of code buffer work in any other games besides Call of Duty, such as Battlefield 2?

I have tested the "/exec cod4va" on a few servers, and it has worked on them all except for 1. For that 1 server, it is spitting out random text (like you posted in the screenshot). Here is that server's info if it can be of any help:

http://img205.imageshack.us/img205/8279/cod4iy4.jpg

I have doubled the length of the string in cod4va.cfg, even tripled, but still no go. The particular server also hosts a bunch of other cod4 servers on the same IP, and it doesn't work on any of those either: http://www.game-monitor.com/search.php? ... 152.181.68

Sorry if you don't like posting the IP =(, but I'm not sure how else you could investigate it, as this is the only set of servers that it's not working on for me.

I have probably found the mistery (I had this hypothesis in mind from yesterday and probably this should confirm it): the server seems to run on Linux

Probably the Linux version of CoD4, which is maintained by Icculus isn't affected by the problem and shows the initialized output buffer which is not filled since snprintf on *nix works differently than Windows

Would you be be able to make a version that exploits the same type of termination feature on Linux as it is on Windows, just perhaps a different code?

My only question than about the problem is: I tried it 1 time on our test server and it worked perfectly, I than tried again today and it didn't work.. so I'm curious to know why it worked that 1 time but not anymore.

Thank you

In the newest version of punkbuster they are blocking this...

I crashed my local server several times with /exec cod4va then i updated punkbuster and i kept getting random letters instead of a crash

uhmmm, seems that punkbuster wants to put the hands on another piece of the market... very bad, very bad
they did the same with the format strings bug and the hell bell bug I reported in various other games.

yoall, thanx a lot for having solved our doubts.

anyway, rethinking to the work-around made by PB, it's a good idea naturally for protecting admins if developers don't care about fixing bugs (and considering that thoese bugs were known from the 2006 I think this is the perfect case) but there is something I don't understand.

The latest update (which is exactly the same date of my advisory) on PB for CoD4 is about the client part of the anticheat system:

http://www.evenbalance.com/index.php?pa ... t-cod4.php

so I hope they have not implemented the check client-side because is not a solution... I could send a mail to PB asking details so we can clarify all the doubts definitely

Is there a way aluigi, to still cause the server to terminate by use of a exec command line?

I really liked how well this worked when it did, if so please let me know :)

- Tic Tac

I have not found other similar vulnerabilities in CoD4 so for the moment I can say no, there are no other ways/bugs

Since you said it doesn't work on linux based machines, is there an easy way maybe through another online game tracker that tells if the server is running on a linux or windows machine?

no no, the thing I said on Linux was only an hypothesis since I wasn't aware of that thing about Punkbuster.

About tracking the servers through their OS, all depends by the game.
For example Half-life shows if it's a windows or linux server in the query's reply, CoD4 (and many other games) no.

Anyway I think that the Linux version is no longer supported by months, the latest available in fact is dated 30 Jan 2008 and is version 1.5:

http://0day.icculus.org/cod/

considering this "update" problem I think the majority of admins run the cod4 server on linux through wine... it's the only idea about I can thing.

oh ok I see what your saying.. hopefully some new bugs will be found out. They released 1.7 quite fast to fix some of the problems caused by 1.6

Is it possible to fill up the server with actual players - I don't mean like the fake players bug where it just fills up all the slots, but where the game actually spawns players that way the server can say its full ( 24/24 ) so it can gain time? Is this possible or can it not spawn the actual players.

Thank you

if you mean something like fake players but with the rest of the in-game protocol for allowing them to spawn on the map, move, chat and so on, yes this is possible (just like a mini q3 client).

There is a similar project for EnemyTerritory but I no longer remember the name unfortunately.

Do you have a tool that allows you do this for Call of Duty 4?

So you can spawn in actual players that count towards the population and as you said carry the rest of the in game protocol.

Thank you

no, I haven't this

ok no problem. Thank you for all the help.