Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-38221: Discovering a Buffer Overflow in The Isle Evrima Dedicated Server - TakeTheBait

A buffer overflow in the FTcpListener thread in The Isle Evrima (the dedicated server on Windows and Linux) 0.9.88.07 before 2022-08-12 allows a remote attacker to crash any server with an accessible RCON port, or possibly execute arbitrary code.

CVE
#vulnerability#windows#ubuntu#linux#rce#buffer_overflow#auth

Discovering a Buffer Overflow in The Isle Evrima Dedicated Server

The CVE program has assigned CVE ID: CVE-2022-38221 for this exploit. You can view it here.

So I’ve been playing this game on steam, The Isles. Great game, but I like to host my own servers when I can. So I downloaded the dedicated server, booted it up and it was running. I took a look at the patch notes and noticed RCON had been introduced, but wasn’t implemented yet. I took a look at the official discord, and not much info was there. So I took to doing a little reverse engineering and came up with the first public The Isles Evrima python client, which can be found here. I’m a tinkerer by nature, so I wanted to take a closer look at how the information was handled. After all, I’m running this server, the game is still in development, so I wanted to see how secure I was. I didn’t think I would find a buffer overflow on the Isle Evrima.

Finding the vulnerability

I decided what any security researcher would do, and sent a bunch of bytes to the RCON server. And…Nothing. So I decided to wrap the buffer into the password command, and that’s where things got interesting. So I ran the following python code, which encases a 200,000 byte buffer into the password field, and send it over to RCON running on port 8888.

import socket, time, sys

ip = "127.0.0.1"
port = 8888
timeout = 10
string = "A" * 200000
while True:
  try:
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
      s.settimeout(timeout)
      s.connect((ip, port))
      string = string.encode()
      payload = bytes('\x01', 'utf-8') + string + bytes('\x00', 'utf-8')
      print("Fuzzing with {} bytes".format(len(payload)))
      s.send((payload))
      message = s.recv(1024)
      print(message)
  except:
    print("Fuzzing crashed at {} bytes".format(len(payload)))
    sys.exit(0)
  time.sleep(2)

Windows Access Exception

Access Violation Windows

So the server crashed, and we got an access violation. Well of course we did! Considering the address we attempted to access was well past the stack. We can also see a debug string “Error receiving data from the TCP socket”. The thread is the FTcpListener. So it’s safe to assume the overflow occurred within TCP connection handler. The password buffer seems to have a 1000 byte limit, so I don’t think it actually occurs there, but once the buffer is received. I have a dedicated server running on a Linux box, so I decided to test it remotely, yup it works. So its safe to assume that any server with an accessible RCON port with RCON enabled will be vulnerable to this attack.

This includes every one of the official servers. Meaning someone could shut them down indefinitely with a short python script until the devlopers patch it or disable RCON on the official servers. RCON is a plain text protocol, so I hope the developers are not actually accessing it outside of the local network for official servers.

A Buffer Overrun Exception

Now sending 200,000 bytes is a bit overkill. What happens when we send just enough? Well it turns out just enough is about 2047 bytes within the buffer(on windows), and it will render us with a “STATUS_BUFFER_OVERRUN”, which is actually a good thing,

The Stack Canary protects from remote code execution.

STATUS_STACK_BUFFER_OVERRUN

Linux Segmentation Fault

Corruption Canary saves us, for now

Now a buffer overrun might sound scary, but really, its a good thing. You see that string there” Corruption Canary was …” That means there is a stack Canary, a address responsible for detecting overflows and terminating a process. That means an attacker can still crash your server with no authentication, BUT, they will face an additional hurdle when attempting to execute shell code. That does not mean its impossible. Given some time, a skilled reverse engineer could bypass the stack canary and own any server running RCON. (Including the official servers). This is a scary thought.

Reporting to the Developers

So I’m sitting on a bug and an exploit that allows me to crash any official server at any time, along with many unofficial servers. And its a matter of time before someone malicious finds this. It’s time to report. There were many ways to publicly report a bug, but nowhere privately for a vulnerability. I used the bug report form to tell the devs to message me over discord, posted on the bug section for someone to message me, and sent an email to the support team letting them know that I had found a buffer overflow on the isle evrima. I’ve gotten a response, and as of 8/12/2022 the buffer overflow has been patched.

On a side note, if you would like to set up your own server, I’ve made a tutorial here for Linux via Linode : Create a Dedicated The Isle Evrima Server on Ubuntu 22.04 Linux – TakeTheBait

And if you are facing issues your your personal server, I’ve made a post detailing most of the common issues and resolutions:

Troubleshooting the Isle Dedicated Server Issues – TakeTheBait

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907