CVE-2004-1576

Vulnerability

Judge Dredd: Dredd vs. Death version 1.01 and earlier contains a format string vulnerability in the handling of in-game messages, such as chat messages and player connection notifications. When the server processes a message containing format string specifiers (e.g., %n), it passes user-controlled input directly to a format function without sanitization, leading to a crash. The bug is reachable when any client sends a crafted message to the game server [1].

Exploitation

An attacker must have access to the game match (i.e., be able to connect to the server; if password protected, the attacker must know the password). By sending a chat message containing format string specifiers (for example, %n%n%n%n%n) via the in-game chat interface (default key 'T'), the server immediately crashes. The attack can be performed from a remote client or locally if running a client on the same machine as the server [1].

Impact

Successful exploitation causes a denial of service (application crash) of the game server. The attacker does not gain code execution or privilege escalation; the impact is limited to disrupting gameplay for all connected players [1].

Mitigation

No official patch or fixed version has been released by the vendor (Rebellion). Users can mitigate the risk by only allowing trusted players on the server, using a password, or discontinuing use of the product. The vulnerable versions (≤1.01) should be considered end-of-life [1].