Security Patch for Tribes 2

Bahke

This patch fixes a serious remote code execution vulnerability in the network code of Tribes 2.
The vulnerability affects both the client and server.
If anybody wants proof that there is a problem, I can show how it is exploitable remotely. (I will only do this if asked to by the server owner)
To install the patch, put it in the scripts/autoexec folder.


https://dl-web.dropbox.com/s/dc15omwgqh1krij/security.cs

Thyth

memPatch("A3C300","A370C3A300E8D609A0FF8B46205053E98103A0FF");
memPatch("A3C330","C70570C3A30000000000E8A109A0FF8B462085C0E96D03A0FF");
memPatch("A3C400","E80BFB9FFF6089C38B1570C3A300B8FF00000029D039C37D0661E92509A0FFA380C3A30061A180C3A300E91509A0FF");
memPatch("A3C430","E8DBFA9FFF6089C38B1570C3A300B8FF00000029D039C37D0661E9A009A0FFA380C3A30061A180C3A300E99009A0FF");
memPatch("43C68B","E970FC5F00");
memPatch("43C6AC","E97FFC5F00");
memPatch("43CD3F","E9BCF65F00");
memPatch("43CDEA","E941F65F00");

These patches seem to ensure that some vulnerable 256 byte buffer (or pair of buffers?) is not overflown? I haven't looked at these in the context of the code they're patching, but (to anyone uncertain) this is safe to use.

Given that the game was written in C++ almost 2 decades ago (thus not representing a paragon of secure software development practices), do you think there are other comparable issues exposed to the network processing code in the game, or is this the only one you think is reasonably plausible?

Bahke

This is almost certainly the only problem in Tribes2 that can be exploited for RCE. I also created a pull request for Torque3D to fix the same problem. There may be a few ways to crash a T2 server without RCE, but the only one I found was the Null command one which is already patched by cmdArmor

Bahke

There is one more problem that I experienced when having too many bots, but I still need to make a fix for that. I made a temporary fix for it a while ago however it was buggy.