[Full-disclosure] Multiple vulnerabilities in Firefly Media Server (mt-daapd) 2.4.1 / SVN 1699
### Luigi Auriemma Application: Firefly Media Server (mt-daapd) http://www.fireflymediaserver.org Versions: <= 2.4.1 and SVN <= 1699 Platforms:*nix, Windows, Mac and others Bugs: A] partial directory traversal on Windows B] authentication bypass on Windows C] duplicated HTTP parameter Denial of Service D] CPU at 100% with partial queries Exploitation: remote Date: 03 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Firefly Media Server (aka mt-daapd) is an open source server for the DAAP protocol used by Roku SoundBridge and iTunes. ### === 2) Bugs === - A] partial directory traversal on Windows - Using 3 dots in the HTTP query is possible to get a specific file in the parent directory of the Firefly admin-root folder. That means that an attacker can download the mt-daapd.conf file which contains all the configuration of the server or other files like firefly.log and so on. If the server is protected by password is enough to use the bug B below which allows any external unauthenticated attacker to download these files (in short GET /.../mt-daapd.conf works only if no password is set, otherwise you must use GET .../mt-daapd.conf or the other methods explained there). In my tests was possible to go down only of one directory, that's why I consider it "partial". This problem is exploitable only versus Windows servers. --- B] authentication bypass on Windows --- The usage of a dot '.' or a backslash '\' before the URI (at the place of the usual /) or just nothing (GET file.txt HTTP/1.0) allows any unauthenticated attacker to download the files from the admin-root folder in case the server is protected by password. Although the admin-root folder doesn't contain sensitive informations it can become very dangerous if used with bug A as written above. Note that the trick works only for the "real" files and not for the special ones like xml-rpc and the DAAP commands. This problem is exploitable only versus Windows servers. -- C] duplicated HTTP parameter Denial of Service -- It's possible to terminate the server remotely simply using two or more HTTP parameters with the same name (like two Host or User-Agent or just any other string). --- D] CPU at 100% with partial queries --- Not really dangerous as the above bugs anyway the server's CPU goes to 100% while receiving the queries, which means that anyone can just connect to it sending only the first line (GET / HTTP/1.0) to cause this effect which will continue forever also when the attacker disconnects from it. ### === 3) The Code === Example queries to send with netcat: http://aluigi.org/poc/fireflyz.zip nc localhost -v -v < file.txt ### == 4) Fix == The bugs will be fixed in the next versions. ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two vulnerabilities in Simple HTTPD 1.38
### Luigi Auriemma Application: Simple HTTPD http://shttpd.sourceforge.net Versions: <= 1.38 Platforms:Windows, *nix, QNX, RTEMS only Windows seems vulnerable Bugs: A] directory traversal B] scripts and CGI viewing/downloading (%20 char found by Shay priel in Jun 2007) Exploitation: remote Date: 07 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Simple HTTPD (shttpd) is an open source web server created for embedded systems. ### === 2) Bugs === -- A] directory traversal -- Using the "..\" pattern is possible to download any file in the disk on which is located the web root directory. -- B] scripts and CGI viewing/downloading -- Any script or CGI in the server can be viewed/downloaded instead of being executed simply appending the chars '+', '.', %20 (this one reported by Shay priel in the summer 2007), %2e and any other byte (in hex format too) major than 0x7f to the requested filename. Note that only Windows seems vulnerable to the above bugs. ### === 3) The Code === A] http://SERVER/..\..\..\boot.ini http://SERVER/..\%2e%2e%5c..\boot.ini B] http://SERVER/file.php+ http://SERVER/file.php. http://SERVER/file.php%80 http://SERVER/file.php%ff ### == 4) Fix == I have posted the problems in the shttpd-general mailing-list but there is no reply yet: http://sourceforge.net/mailarchive/forum.php?forum_name=shttpd-general ####### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Limited upload directory traversal in HTTP File Server 2.2a / 2.3 beta (build #146)
### Luigi Auriemma Application: HTTP File Server http://www.rejetto.com/hfs/ Versions: <= 2.2a and <= 2.3 beta (build #146) Platforms:Windows Bug: limited directory traversal in files uploading Exploitation: remote Date: 05 Dec 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === HFS is a very nice and small file server for Windows easy to use and with many interesting features. ### == 2) Bug == HFS allows the uploading of files to the real folders added to the Virtual File System. The problem is that an attacker can upload files outside the destination folder reaching the root or any other directory on the disk in which is located the upload folder using the ../ pattern. Note that uploading must be enabled on the target folder, that the attacker must have access to it (is possible to restrict the access to that folder to a specific account) and that is not possible to overwrite existing files because the server avoids it (for example if a file called file.txt already exists the new one will be called file(1).txt). ### === 3) The Code === http://aluigi.org/testz/myhttpup.zip myhttpup http://SERVER/folder file.txt ../../../file.txt ### == 4) Fix == 2.2b #150 and 2.3 beta #160 ### --- Luigi Auriemma http://aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Crash in LIVE555 Media Server 2007.11.01
###
Luigi Auriemma
Application: LIVE555 Media Server
http://www.live555.com/mediaServer/
Versions: <= 2007.11.01
Platforms:*nix, Windows, Mac and others
Bug: crash caused by access to unallocated memory
Exploitation: remote, versus server
Date: 18 Nov 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
LIVE555 Media Server is an open source RTSP server application released
under LGPL.
###
==
2) Bug
==
The function which handles the incoming queries from the clients is
affected by a vulnerability which allows an attacker to crash the
server remotely using the smallest RTSP query possible to use.
This problem is caused by the absence of an instruction for checking if
the amount of client's data (reqStrSize) is longer or equal than 8
bytes because the function makes use of unsigned numbers, so "7 - 8" is
not -1 but 4294967295, resulting in a crash caused by the reaching of
the end of the allocated memory.
>From liveMedia/RTSPCommon:
Boolean parseRTSPRequestString(char const* reqStr,
unsigned reqStrSize,
...
unsigned i;
for (i = 0; i < resultCmdNameMaxSize-1 && i < reqStrSize; ++i) {
...
// Skip over the prefix of any "rtsp://" or "rtsp:/" URL that follows:
unsigned j = i+1;
while (j < reqStrSize && (reqStr[j] == ' ' || reqStr[j] == '\t')) ++j;
for (j = i+1; j < reqStrSize-8; ++j) {
...
###
===
3) The Code
===
http://aluigi.org/poc/live555x.zip
###
==
4) Fix
==
Version 2007.11.18
###
---
Luigi Auriemma
http://aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Clients buffer-overflow in Live for Speed 0.5X10
### Luigi Auriemma Application: Live for Speed http://www.lfs.net Versions: <= 0.5X10 Platforms:Windows Bug: client buffer-overflow during skins handling Exploitation: remote, versus clients (the attacker can be a malicious client or the same server) Date: 13 Oct 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Live for Speed (LFS) is one of the most known and cool car racing simulators available and allows to do a lot of things: races, autocross, drifting, drag races, demolition derby, knock out and more. ### == 2) Bug == Live for Speed allows the players to use different skins for their cars, which can be those available by default or just new skins in DDS format created by the same users. When a player, after having joined the server, decides to enter on the track, a packet with all the informations about his car (like setup, colors and skin) is sent to the server which forwards some of these data to all the other connected clients. The field which contains the name of the skin in use by the player is a field of 16 bytes which is read by the clients and concatenated to the name of his car for the subsequent loading of the needed DDS file from the local skins folders. The operation is made without the proper checks resulting in a stack buffer-overflow. So, in short, any client which can join a server and can race on it (not as spectator) can also be able to exploit this vulnerability for crashing or possibly executing malicious code (the maximum number of allowed chars is 48) on all the clients connected to the server, except himself. ### === 3) The Code === http://aluigi.org/poc/lfscbof.zip ### == 4) Fix == No fix. Developers have not been contacted since still exist (not patched yet) other buffer overflow vulnerabilities which affect the clients locally found by my friend n00b and reported to them at the end of July. ### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] NULL pointer crash in World in Conflict 1.000
###
Luigi Auriemma
Application: World in Conflict
http://www.worldinconflict.com
Versions: <= 1.000
Platforms:Windows
Bug: access to NULL pointer
Exploitation: remote, versus server
Date: 09 Oct 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
World in conflict is a RTS game developed by Massive Entertainment
(http://www.massive.se) and released about a month ago.
###
==
2) Bug
==
The server is vulneable to a Denial of Service attack (crash) caused by
the access to a NULL pointer.
The problem happens in the GetMagicNumberString function which takes
the third byte of the data received from the client on the VOIP port
52999 and returns a text string if this value is valid ("ABC" for type
0, "DEF" for 1, "GHI" for 2 and so on) or NULL if it's invalid.
Then the string returned by this function is compared with another one
and here happens the NULL pointer access.
###
===
3) The Code
===
Connect to the VOIP port of the server (default 52999) with telnet or
netcat and type something like aaa.
The server will crash immediately.
###
==
4) Fix
==
Patch v1.001 (aka Update #001)
###
---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string in The Dawn of Time 1.69s beta4
###
Luigi Auriemma
Application: The Dawn of Time
http://www.dawnoftime.org
Versions: <= 1.69s beta4 (and 1.69r too)
Platforms:*nix and Windows
Bug: format string in web server authorization
Exploitation: remote
Date: 05 Oct 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
The Dawn of Time (aka Dawn) is a MUD server originally based on the
ROM codebase.
###
==
2) Bug
==
A format string vulnerability is located in the function which handles
the access to the restricted zones of the internal web server like
"Reset password".
After having decoded the base64 string containing username:password the
string is used without format argument with sprintf().
from websrv.cpp:
bool processWebHeader(web_request_data *w){
...
if (str_len(pLine)>0 && str_len(pLine)<200){
char decoded[200];
char *d;
d =decodeBase64(pLine);
if (d){
sprintf(decoded,d);
...
void filterWebRequest(connection_data *c){
...
if (str_len(pLine)>0 && str_len(pLine)<200){
char decoded[200];
char *d;
d =decodeBase64(pLine);
if (d){
sprintf(decoded,d);
###
===
3) The Code
===
Go to:
http://SERVER:4001/locked
and use the username %n%n%n%n%n
or just:
http://%n%n%n%n%n:[EMAIL PROTECTED]:4001/locked
###
==
4) Fix
==
The bug will be officially fixed in the next release.
I have also opened a thread in the Dawn forum some days ago with the
instructions for the fix:
http://forums.dawnoftime.org/viewtopic.php?t=2102
#######
---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Dropteam 1.3.3
### Luigi Auriemma Application: Dropteam http://www.battlefront.com/products/dropteam/news.html Versions: <= 1.3.3 Platforms:Windows, Linux and Mac Bugs: A] format string through packet 0x01 B] buffer-overflow through packet 0x5c C] heap-overflow through packet 0x18 D] various memory crash through packet 0x4b E] account password sent to server Exploitation: remote, versus server Date: 05 Oct 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Dropteam is a tactical war game developed by Battlefront (http://www.battlefront.com). ### === 2) Bugs === A] format string through packet 0x01 Various format string vulnerabilities can be exploited through the packet 0x01, where the account username, the account password and the nickname passed by the client are used directly as format argument of sprintf(). Note that the output strings will be showed in the reply packet sent by the server, so an attacker can tune his exploit for the maximum percentage of success if necessary. -- B] buffer-overflow through packet 0x5c -- A buffer-overflow is exploitable through packet 0x5c, where a stack buffer is filled with the various data supplied by the client without the proper checks. C] heap-overflow through packet 0x18 Here we have a heap buffer of 16 kilobytes where the program stores a max amount of 131070 (16 bit << 1) numbers of 32 bit supplied by the attacker. --- D] various memory crash through packet 0x4b --- Another heap-overflow vulnerability is exploited during the handling of the 0x4b packet, composed by max 255 strings with a size of max 65535 bytes each one. -- E] account password sent to server -- For playing with Dropteam online is necessary to register an account using a valid product key of the bought game. The packet used by the client for joining the server is composed by the following fields: account username, account password, game version and nickname. The problem is just in the account credentials which are transmitted to the server in which the client wants to join allowing any server's admin (anyone can set up a server) to collect and use these accounts. ### === 3) The Code === http://aluigi.org/poc/dropteamz.zip ### == 4) Fix == The bugs will be probably fixed in the next patch. ### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two buffer-overflow in FSD V2.052 d9 and FSFDT V3.000 d9
###
Luigi Auriemma
Application: FSD
http://www.mcdu.com/en/download.php
Versions: <= "V2.052 d9" (original FSD) and "V3.000 d9" (FSFDT FSD)
Platforms:Windows and *nix
Bugs: A] buffer-overflow in exechelp
B] buffer-overflow in execmulticast
Exploitation: remote
Date: 01 Oct 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
FSD is an (the only?) open source Flight Simulator server.
An interesting story about it is available here:
http://www.vatpac.org/administration/history.htm
###
===
2) Bugs
===
--
A] buffer-overflow in exechelp
--
A buffer-overflow vulnerability caused by the usage of strcpy() on a
stack's buffer of 100 bytes is exploitable through the HELP command on
port 3010.
from sysuser.cpp:
void sysuser::exechelp(char **array, int count)
{
int copymode=0, topicmode=0, globalmode=0;
char topic[100],line[100];
char *s=(count>0)?array[0]:(char *)NULL;
if (s) strcpy(topic,s); else
...
---
B] buffer-overflow in execmulticast
---
Another stack buffer-overflow with another buffer of 100 bytes is
exploitable through the sending of various commands to port 6809 which
calls the sendmulticast function.
from servinterface.cpp:
int servinterface::sendmulticast(client *source, char *dest, char *s,
int cmd, int multiok, absuser *ex)
{
client *destination=NULL;
char data[1000], servdest[100];
...
switch (dest[0])
{
case '@': case '*':
if (!multiok) return 0;
strcpy(servdest, dest);
break;
default:
sprintf(servdest,"%%%s",dest);
...
###
===
3) The Code
===
A]
connect with nc or telnet to port 3010 (sometimes it can be 3011, but
it's easy to recognize since it shows a "FSD>" prompt) and then send:
HELP ...(more_than_100_'a's)...
B]
connect with nc or telnet to port 6809, now you must log in or create a
new user, but seems that all usernames and passwords are available on
port 3011 (or 3012) where they are sent just when you connect:
#AAcallsign::ident:12:12:1:9
$PIcallsign:a...(more_than_100_'a's)...
(in the above example the first 12 is the CID and the second one is
the password)
###
==
4) Fix
==
No fix.
No reply from the current maintainers (MCDU).
###
---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string in the Doom 3 engine through PB
### Luigi Auriemma Application: Doom 3 engine Games:Doom 3 (http://www.doom3.com)<= 1.3.1 Quake 4(http://www.quake4game.com) <= 1.4.2 Prey (http://www.prey.com) <= 1.3 Enemy Territory: Quake WarsNOT VULNERABLE Platforms:Windows, Linux and Mac Bug: format string Exploitation: remote, versus servers with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Doom 3 engine (formerly known as id Tech 4) is the latest version of the famous game engine developed by ID Software (http://www.idsoftware.com) and used in some recent games: http://en.wikipedia.org/wiki/Id_Tech_4 ### == 2) Bug == The function which visualizes the strings on the game's console is vulnerable to a format string vulnerability, something similar to snprintf(buff, 1024, string); Usually this is not a problem since the engine uses some functions and tricks to avoid the visualization of the % char like dropping it or inserting a space between it and the subsequent char. But there is a way for bypassing this limitation with also the better advantages of doing it anonymously and with only one single spoofable UDP packet: Punkbuster. When Punkbuster is active on a server (practically almost all the public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Doom 3 engine and affects both dedicated and non-dedicated servers, so NOT a Punkbuster's bug which is used only as a "way" for reaching a zone of the code otherwise unexploitable. ### === 3) The Code === http://aluigi.org/poc/d3engfspb.zip ### == 4) Fix == No fix. No reply from the developers. ### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string in F.E.A.R. 1.08 through PB
### Luigi Auriemma Application: F.E.A.R. (First Encounter Assault Recon) http://www.whatisfear.com Versions: <= 1.08 Platforms:Windows and Linux Bug: format string Exploitation: remote, versus server with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === F.E.A.R. is the most recent FPS game developed by Monolith (http://www.lith.com). ### == 2) Bug == This bug is nothing new moreover considering that it's public from the far 2004 when this game was still a beta: http://aluigi.org/adv/lithfs-adv.txt What changes this time is the type of exploitation and the derived advantages since now the attack is completely anonymous from outside the server using only one UDP packet. When Punkbuster is enabled on a server (true for many public servers) it visualizes the content of some incoming packets using the game's console. The Punkbuster packets needed for forcing the visualization of a custom string in the console are PB_Y (YPG server) and PB_U (UCON), while in the past was ok to use PB_P too which has been recently made no longer verbose probably due to its abusing attempted by people for spamming servers (which is naturally still possible with the above packets). As already said this is a bug in the Lithtech engine and NOT in Punkbuster which is used only as a "way" for exploiting it. ### === 3) The Code === http://aluigi.org/poc/fearfspb.zip ### == 4) Fix == No fix. The bug has been never "really" patched although it's public from 3 years. ### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unexploitable buffer-overflow in America's Army 2.8.2 through PB
### Luigi Auriemma Application: America's Army and America's Army Special Forces http://www.americasarmy.com Versions: <= 2.8.2 Platforms:Windows, Linux and Mac Bugs: unexploitable buffer-overflow in the logging function Exploitation: remote, versus servers with Punkbuster enabled Date: 01 Oct 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === America's Army is a realistic FPS game based and developed just by the the U.S. Army (http://www.goarmy.com). ### == 2) Bug == This bug is the same reported here: http://aluigi.org/adv/unrwebdos-adv.txt What changes now is the possibility of exploiting it also in this specific game (since it doesn't support or doesn't seem to support the web service used as way for exploiting the bug in that advisory) and anonymously from outside the server with a single UDP packet. The only requirement is the running of Punkbuster on the server while for exploiting the vulnerability will be used the PB_Y (YPG server) or the PB_U (UCON) packets with a content of about 1024 bytes. Exists also another minor problem which can be exploited only versus the Windows dedicated server (ever with Punkbuster enabled) since the chars printed on the console are not filtered so using invalid chars or 0x07 (the bell) can cause the freezing of the entire server. ### === 3) The Code === http://aluigi.org/poc/aaboompb.zip ### == 4) Fix == No fix. The bug is public from the 18 Aug 2007 and the developers of the engine are aware of it from some weeks before that date. ####### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in the gMotor2 engine
Only an update about the advisory I released one month ago for the rFactor game. This game uses the same gMotor2 engine which is used also by many other well known games like F1 Challenge 99-02, GT Legends, GTR, GTR 2, RACE, Race 07, BMW M3 Challenge and so on. The new advisory (not an usual advisory since I have NOT performed further and specific research except a new proof-of-concept) is available here: http://aluigi.org/adv/gmotor2-adv.txt --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string and clients disconnection in Alien Arena 2007 6.10
###
Luigi Auriemma
Application: Alien Arena 2007
http://red.planetarena.org
Versions: <= 6.10 and current SVN
Platforms:Windows and Linux
Bugs: A] in-game format string in safe_bprintf
B] clients disconnection through spoofed client_connect
Exploitation: A] remote versus server
B] remote versus clients
Date: 05 Sep 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Alien Arena 2007 is an open source FPS game developed by COR
Entertainment (alias John "Irritant" Diamond) and based on the GPL code
of the Quake 2 engine.
###
===
2) Bugs
===
A] in-game format string in safe_bprintf
A format string vulnerability is located in the safe_bprintf function
caused by the usage of cprintf without the needed format argument.
The bug can be exploited in-game (so with the usual possible password
and banning limitations) using a malformed nickname:
from game/acesrc/acebot_cmds.c:
void safe_bprintf (int printlevel, char *fmt, ...)
{
int i;
charbigbuffer[0x1];
int len;
va_list argptr;
edict_t *cl_ent;
va_start (argptr,fmt);
len = vsprintf (bigbuffer,fmt,argptr);
va_end (argptr);
if (dedicated->value)
gi.cprintf(NULL, printlevel, bigbuffer);
for (i=0 ; ivalue ; i++)
{
cl_ent = g_edicts + 1 + i;
if (!cl_ent->inuse || cl_ent->is_bot)
continue;
gi.cprintf(cl_ent, printlevel, bigbuffer);
}
}
---
B] clients disconnection through spoofed client_connect
---
When queried the game server returns many informations included the
list of players which are currently playing and their IP addresses too.
Although the Quake 2 protocol isn't prone to spoofing attacks
(differently to what happens with Quake 3 and the disconnect packet)
here is possible to block and disconnect all the clients which are
playing on the server simply using the "client_connect" command.
So an attacker needs only to query the server, getting the list of
IP:port of the players and sending this command to them using the IP
and the port of the server as source.
The client will be no longer able to move or send commands in the
server and after some minutes it will time out, until this moment it
cannot rejoin the same server.
###
===
3) The Code
===
http://aluigi.org/poc/aa2k7x.zip
###
==
4) Fix
==
No fix.
The developer has not been contacted because he is too stupid for
understanding a bug report:
http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1
#######
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Doomsday 1.9.0-beta5.1
###
Luigi Auriemma
Application: Doomsday
http://www.doomsdayhq.com
http://www.dengine.net
http://sourceforge.net/projects/deng/
Versions: <= 1.9.0-beta5.1 and current SVN
Platforms:Windows, Linux and Mac
Bugs: A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
B] Msg_Write global buffer-overflow through PKT_CHAT
C] undelimited strcpy in PKT_CHAT
D] integer overflow in PKT_CHAT
E] static buffer-overflow in NetSv_ReadCommands
F] client format string through PSV_CONSOLE_TEXT
Exploitation: remote, versus servers or clients depending by the bug
Date: 29 Aug 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Doomsday (aka deng) is an open source port of the original Doom code
with tons of enhancements and addons which make it the most advanced
port at the moment.
###
===
2) Bugs
===
-
A] D_NetPlayerEvent global buffer-overflow using PKT_CHAT
-
When a chat message is received, the server takes the incoming packet
and reads who sent it, its destination and naturally the entire message
which is copied in a heap buffer using the remaining size of the packet
for calculating the amount of data to allocate.
Then a strcpy() is performed for copying the message from the packet to
the new allocated buffer called msg.
If the message is directed to the server it's displayed in the console
using the D_NetPlayerEvent function.
Subsequently the message is copied from msg in a global buffer called
netBuffer for sending the message to all the other clients using the
function MSG_Write.
This explanation is valid for the other three bugs below too since they
are exploited all through this same set of instructions which are
showed here:
from sv_main.c:
void Sv_HandlePacket(void)
...
case PKT_CHAT:
// The first byte contains the sender.
msgfrom = Msg_ReadByte();
// Is the message for us?
mask = Msg_ReadShort();
// Copy the message into a buffer.
msg = M_Malloc(netBuffer.length - 3);
strcpy(msg, (char *) netBuffer.cursor);
// Message for us? Show it locally.
if(mask & 1)
{
Net_ShowChatMessage();
gx.NetPlayerEvent(msgfrom, DDPE_CHAT_MESSAGE, msg);
}
// Servers relay chat messages to all the recipients.
Msg_Begin(PKT_CHAT);
Msg_WriteByte(msgfrom);
Msg_WriteShort(mask);
Msg_Write(msg, strlen(msg) + 1);
for(i = 1; i < MAXPLAYERS; i++)
if(players[i].ingame && mask & (1 << i) && i != from)
{
Net_SendBuffer(i, SPF_ORDERED);
}
M_Free(msg);
break;
In the case of D_NetPlayerEvent we have the following global buffer
overflow of msgBuff caused by a sprintf or strcpy depending by the
number of players in the server.
Important note: although this is a global buffer-overflow, on the
Windows game server (not the dedicated one) is possible to control the
code flow since EIP takes the value sent by the attacker, and so could
be possible to execute malicious code.
Then this bug can be exploited not only versus the servers but also
versus all the clients connected since the big data is forwarded to
them by the same server.
from d_net.c:
charmsgBuff[256];
float netJumpPower = 9;
...
long int D_NetPlayerEvent(int plrNumber, int peType, void *data)
...
// DDPE_CHAT_MESSAGE occurs when a PKT_CHAT is received.
// Here we will only display the message (if not a local message).
else if(peType == DDPE_CHAT_MESSAGE && plrNumber != consoleplayer)
...
// If there are more than two players, include the name of
// the player who sent this.
if(num > 2)
sprintf(msgBuff, "%s: %s", Net_GetPlayerName(plrNumber),
(const char *) data);
else
strcpy(msgBuff, data);
B] Msg_Write global buffer-overflow through PKT_CHAT
The Msg_Write function used for filling the "send" buffer suffers of a
global buffer-overflow too, in this case the target buffer is netBuffer
which is 32768 bytes long.
from net_msg.c:
void Msg
[Full-disclosure] Multiple denial of service in Soldat 1.4.2/2.6.2
### Luigi Auriemma Application: Soldat http://www.soldat.pl Versions: game <= 1.4.2 and dedicated server <= 2.6.2 Platforms:Windows (Linux not affected) Bugs: A] clients crash caused by too long strings on the screen B] denial of service through file transfer port C] easy IP banning Exploitation: remote A] versus clients B] versus server (Windows only) C] versus specific clients Date: 23 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Soldat is a small and cool 2D multiplayer game with tons of players and servers around the world. ### === 2) Bugs === First a short introduction about the types of servers available in the game: - game server / non-dedicated server: a player runs Soldat.exe, starts the server and plays in it automatically (player is both client and server at the same time) - game dedicated server: Soldat.exe -dedicated, as above but the player cannot play, he will only see a graphical interface for handling the server - dedicated server: this is referred to the stand-alone dedicated server (uses a version number different than the game) which is available for both Windows and Linux and runs in console - A] clients crash caused by too long strings on the screen - The messages visualized on the screen of the clients can't be longer than about 512 bytes otherwise a crash will occurr. An attacker can exploit this problem in at least two ways: - if the server is non-dedicated he can simply send this long string with a line feed at the end to the file transfer port (default 23083), the server will crash immediately - if the server is dedicated the attacker can send the long string as an in-game chat message and any player in it will crash like in the previous example Doesn't seem possible to use this bug for executing malicious code. --- B] denial of service through file transfer port --- The file transfer port (default 23083 or client port plus 10) supports input strings of max 16384 bytes (life feed included) and can be a problem for both the dedicated and non-dedicated Windows server: - the dedicated server runs in a classical console, which means that an attacker can use some chars (like 0x07) for "beeping" and freezing the Windows console due to the visualization of the requested map on the screen, during the attack the players in the server cannot play and the server is a hell of beeps and slowness - the game dedicated server (Soldat.exe -dedicated) suffers of a similar effect too since it will become very slow to use and to play on it -- C] easy IP banning -- this is a problem affecting Soldat from long time, in fact the bug is just in the lack of a real check on the players which join the server, in short it's enough one single UDP packet for being inside it. While in the past the banning happened with malformed packets (I wrote a PoC for it), in the recent versions is possible to exploit this problem sending multiple join packets causing a banning of 20 minutes for the source IP address. So if an attacker can spoof his packets he could ban one or more IP addresses on a specific server. In my opinion this is not a so great problem, I have reported it here only for thoroughness. ### === 3) The Code === http://aluigi.org/poc/soldatdos.zip ### == 4) Fix == No fix. I'm in contact with the developer from over two weeks but unfortunately I'm not able to explain these bugs better than how I have done here... ####### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap overflow in Skulltag 0.97d-beta4.1
### Luigi Auriemma Application: Skulltag http://www.skulltag.com Versions: <= 0.97d-beta4.1 Platforms:Windows and Linux Bug: heap-overflow Exploitation: remote, versus server Date: 23 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Skulltag is a well known and played Doom engine mainly based on Zdoom (but not open source as it) and focused on online gaming. ### == 2) Bug == The game is vulnerable to a heap overflow located in the function which performs the huffman decompression of the incoming packets, allowing possible malicious code execution through a single UDP packet. ### === 3) The Code === http://aluigi.org/poc/skulltaghof.zip ### == 4) Fix == No fix. Developers have not been contacted since one year ago the format string vulnerability I reported to them was handled as a normal bug and the patch was released some months after my advisory. ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in the Asura engine
### Luigi Auriemma Application: Asura engine (network SDK) http://www.rebellion.co.uk Games:Rogue Trooper <= 1.0 Prism: Guard Shield<= 1.1.1.0 ...possibly others... Platforms:Windows Bug: challenge buffer-overflow Exploitation: remote, versus server (in-game) Date: 22 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Asura is a game engine written by Rebellion and used in their games. Rogue Trooper and Prism are the only two games (as far as I know) which use the new network protocol which leads to the vulnerability reported in this advisory, the older games were based on DirectPlay (Judge Dredd) and Gamespy SDK (Sniper Elite). ### == 2) Bug == A buffer-overflow vulnerability is located in the function which handles the 0xf007 packet used for the challenge B query. In this function the data passed by the client is copied (without checks on its length) to a stack buffer of 256 bytes used for sending the data back to the client, something similar to a ping. ### === 3) The Code === http://aluigi.org/poc/asurabof.zip ### == 4) Fix == No fix. Rebellion is one of those vendors which have never replied to my past mails. ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Toribash 2.71
###
Luigi Auriemma
Application: Toribash
http://www.toribash.com
Versions: <= 2.71
Platforms:Windows, Mac and Linux
Bugs: A] dedicated server format string
B] client commands buffer-overflow
C] client unicode buffer-overflow in the SAY command
D] server crash through uninitialized values
E] line-feed dropping
F] Windows dedicated server hell bell
G] clients kicked by malformed packet
Exploitation: A, D and F versus server
B locally versus clients
all the others remotely versus clients using servers as
"bridge" for the attacks (the attacker acts as a client)
Date: 17 Aug 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Toribash is a turn-based multiplayer game in which two players fight
using violent puppets.
The game servers naturally support spectators and there are some
official and non-official leagues and championship for this game, other
than some mods for emulating specific martial arts.
###
===
2) Bugs
===
-
A] dedicated server format string
-
A format string vulnerability is exploitable when a client enters in
the match, in this occasion a string containing
"BOUT ID; 1 0 0 0 0 0 NICKNAME 0" is passed directly to vfprintf(), so
the nickname of the client, limited to 32 chars, can be used by an
attacker as format argument.
--
B] client commands buffer-overflow
--
A buffer-overflow is located in the client's function which reads the
game commands.
The problem is caused by the calling of sscanf() with the format string
"%s %i" and an output buffer of about 256 bytes.
This bug can be exploited in two different ways:
- locally using a malicious replay file (*.rpl)
- remotely through a malicious server controlled by the attacker
Replays are an essential component of the game since are very used for
recording and watching the best matches.
The other way for exploiting the bug isn't so much realistic since
doesn't exist a master server for making the own server public for
anyone.
C] client unicode buffer-overflow in the SAY command
This problem is directly related to bug E.
As written there that bug forces the server to send commands without
the final line-feed and so they are not processed by the client until
the reception of this char.
An attacker can use this same bug for concatenating two or more
commands (ever using the server as a "bridge"), in the case of the SAY
command we will have that the server sends max 512 bytes of data for
this command and an unicode buffer-overflow happens in the client if
receives a SAY of over 1024 chars.
The only limitation is that the attacker (client) doesn't seem to be
able to control the return address because it's overwritten by the
subsequent command sent by the server:
SAY 0;nick: [EMAIL PROTECTED] 0;nick: [EMAIL PROTECTED]
first 512 bytes second 512 bytessubsequent command
The other possibility of exploiting this bug is naturally with the
controlling of a server in which is possible to overwrite the return
address with our unicode chars, but as already written in the previous
bug it's not a realistic way.
D] server crash through uninitialized values
When a client joins a server an ID of -1 is assigned to it and no data
is allocated until the ENTER command is called.
An attacker can join a server and send the GRIP command with the ID set
to -1 for forcing the server to handle it (since the ID is correct) but
the structure which will contain the values received by the client is
NULL and so it will fall in the following situation:
sscanf("0 0\n", "%i %i", &client.integer1, &client.integer2);
where "0 0\n" is the second part of the GRIP command sent by the client
("GRIP -1;0 0\n") while client.integer1 points to 0x30d0 and
client.integer2 to 0x30d4 since the structure which should contain
them is a NULL pointer.
-
E] line-feed dropping
-
The protocol used by Toribash is composed by commands delimited by
[Full-disclosure] Multiple vulnerabilities in rFactor 1.250
### Luigi Auriemma Application: rFactor http://www.rfactor.net Versions: <= 1.250 Platforms:Windows Bugs: A] buffer-overflow B] "Connection lost" crash C] crash/possible code execution D] port 34397 blocked Exploitation: remote, versus server Date: 18 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === rFactor is a racing game deeply focused on simulation. It's developed by Image Space Incorporated (http://www.imagespaceinc.com) and has been released in August 2005. ### === 2) Bugs === The game server listens on 3 ports: - UDP 34247 used for queries - UDP 34347 used for game packets - TCP 34447 used for login, messages, race and other informations Anyway the last two ports are very similar not only because they use the same game protocol but just because they seem to work with the same functions too, in fact all the bugs below can be exploited versus both with the possibility of spoofing the source IP address in case of the UDP port. Another important thing is that the vulnerabilities can be exploited without joining the server, so no password or banning limitations. -- A] buffer-overflow -- This bug is not only the most dangerous of those I have found but it's also the most interesting. A buffer-overflow vulnerability is located in the function which handles the packets with ID 0x80 or 0x88 but no return address is overwritten, in fact the bug allows the modification of some buffers in the server included the one containing its version. For exploting the bug we need to query the server (UDP port 34297) where will happen a second buffer-overflow caused by the creation of a reply using the too long server's version set by the attacker. This is the moment in which the return address will be overwritten. -- B] "Connection lost" crash -- A packet with ID 0x30 or 0x38 causes the crash of the server (read of memory at offset 0x0004) after the visualization of the error message "Connection lost". C] crash/possible code execution Unfortunately I wasn't able to retrieve more details about this bug so for the moment I prefer to classify it only as a Denial of Service. Anyway through packets with ID 0x60 and 0x68 which contain data about the player (like his nickname, his car and so on) is possible to specify a 13 bit number (max 0x1ffb) which is used by the server to copy this amount of bytes from the received packet into another buffer. If this amount is too big we will crash the server due to the read access to the unallocated memory after the packet, while if we use a lower amount the server will close (crash silenty) without no warnings. In my opinion this second effect could be caused by the overwriting of the return address but in this moment I don't have proofs for confirming it. - D] port 34397 blocked - Packets with ID 0x20 and 0x28 instead leads to a strange and unusual effect on the server, in short after having received this packet its UDP port 34397 seems to become blocked and so nobody can join and play on the server. ### === 3) The Code === http://aluigi.org/poc/rfactox.zip ### == 4) Fix == The developers have said that will fix the bugs but there are no info about the release date of the patch. ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Unexploitable buffer-overflow in the logging function of the Unreal engine
###
Luigi Auriemma
Application: Unreal engine
http://www.unrealtechnology.com
http://www.epicgames.com
Versions: this engine is used in many games like Unreal Tournament
2003 and 2004 (both vulnerables) and I have not tested
them all although I'm enough sure that almost all are
vulnerables
Platforms:Windows, Linux and Mac
Bugs: A] unexploitable buffer-overflow in the logging function
B] web admin hell bell on Windows dedicated servers
Exploitation: A] remote versus server
B] remote versus Windows dedicated server only
Date: 18 Aug 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
The Unreal engine is a game engine developed by EpicGames
(http://www.epicgames.com) used in many famous commercial games of
which the main example is the just lucky Unreal Tournament series.
###
===
2) Bugs
===
A] unexploitable buffer-overflow in the logging function
The logging function used in the Unreal engine (and which seems not
possible to disable) is vulnerable to a buffer-overflow bug.
The message passed to this function is used with appSprintf() for
building the following unicode string using an output buffer of 1024
unicode chars:
appSprintf(unicode_buffer, "%s: %s%s", "Log", message, "\r\n");
the appSprintf function works exactly as snprintf truncating the buffer
automatically at 1024 unicode chars without adding the final NULL byte
at the end if this limit is reached.
Then the unicode_buffer is converted in an ascii string using a set of
instructions similar to the following:
for(i = 0; (cx = unicode_buffer[i]); i++) {
if(cx >= 256) cx = 0x7f;
ascii_buffer[i] = cx;
}
the instructions are enough corrects but unfortunately the destination
ascii buffer is located in the stack just after the unicode_buffer and
as already said this one is not delimited if the 1024 chars limit is
reached.
The result is that after 1024 unicode chars the instructions will start
to get the unicode chars located in the output ascii buffer.
The input chars are unicode chars (16 bit) and so those in the ascii
buffer are ever major than the 256 number (0x0100) forcing the
instructions to continue to put 0x7f chars until a NULL byte is finally
reached... and in the meantime the return address has been completely
overwritten by 0x7f7f7f7f.
During my tests only UnrealTournament (version 451b) wasn't vulnerable
because its appSprintf delimits the destination unicode buffer.
How to exploit this vulnerability?
For the moment I have found only the Unreal web server as way for
exploiting this Denial of Service since it allows the sending and
moreover the visualization of more than 1024 chars, but other better
ways could exist.
The internal web server built in the Unreal engine is a service useful
for managing the own game server remotely through a web browser.
This server is NOT enabled by default and works on port 80 if the admin
doesn't change it.
The files pointed by the server are those contained in the Web folder
inside the game directory and /images is the only one which doesn't
require authorization, and is also the one needed to exploit this bug.
---
B] web admin hell bell on Windows dedicated servers
---
This type of Denial of Service could seem something like a joke but it
works terribly well.
The non-graphical dedicated server of the Unreal engine (UCC) works in
console and in some specific occasions it displays some of the data
sent by the clients.
The main idea behind this bug is forcing the server to visualize some
invalid chars like the bell (0x07) for freezing partially the system
and moreover the online game since the Windows console will start to
beep without a break.
In these cases the only way to stop the attack is killing the process
and its console.
The only good way I have found for exploiting this problem on the
Unreal engine with a big amount of chars is through the web admin port
since the invalid chars like 0x07 are not filtered.
Some ways for exploiting the problem are requests to the /images
folder, the Content-Type field using POST, any HEAD query and so on.
This bug can be exploited only versus the UCC Windows dedicated server,
sin
[Full-disclosure] Multiple vulnerabilities in Live for Speed 0.5X10
### Luigi Auriemma Application: Live for Speed http://www.lfs.net Versions: <= 0.5X10 Platforms:Windows Bugs: A] nickname buffer-overflow B] partial track buffer-overflow C] NULL pointer access in internet/hidden S1/S2 servers D] memcpy() NULL pointer in internet/hidden S1/S2 servers Exploitation: remote, versus server A] demo/S1/S2 in-game B] demo/S1/S2 in-game C] S1/S2 (internet/hidden) D] S1/S2 (internet/hidden) Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Live for Speed (LFS) is one of the most known and cool car racing simulators available since you can do a lot of things: races, autocross, drifting, drag races and a parking too. ### === 2) Bugs === --- A] nickname buffer-overflow --- A buffer-overflow vulnerability is located in the portion of code which handles the client's nickname from packets with ID 3. This packet must contain the following NULL terminated strings: 24 bytes for the nickname 8 bytes for the car's plate 16 bytes for other data 16 bytes for the helmet For exploiting the bug it's enough to set a nickname longer than its needed size overwriting the other fields after it in the packet. B] partial track buffer-overflow Another buffer-overflow is exploitable through the packets with ID 10 but this time doesn't seem possible to use it for executing remote code because the return address is overwritten by a fixed string of the server. In short when the user requests a track which is not available on the host, the server calls: sprintf(buff, "%s is not enabled on this host", client_track); using a destination buffer enough big to avoid the controlling of the return address but not enough for avoiding a crash. --- C] NULL pointer access in internet/hidden S1/S2 servers --- The S1 and S2 servers which run in internet (so visible on the master server) or hidden mode are vulnerable to a crash attack caused by the access to a NULL pointer. The problem is exploitable through a packet containing a byte 0x00 at the data offset 23 of the pre-login packet with ID 3. demo and LAN servers are not vulnerable. - D] memcpy() NULL pointer in internet/hidden S1/S2 servers - The S1 and S2 servers which run in internet (so visible on the master server) or hidden mode are vulnerable to a crash attack caused by the calling of memcpy() with a NULL source (in reality it's NULL + 12). The problem seems caused by the absence of one or more needed strings in the pre-login packet with ID 5. demo and LAN servers are not vulnerable. Resuming: Both the bugs A and B are in-game so the attacker must have access to the server like knowing its password if it's protected or being not banned. Bugs C and D instead work versus any server except demo and LAN servers and are not in-game so any attacker can crash any server, password protected too. ### === 3) The Code === with the following tool the bugs A and B can be tested only versus the demo server: http://aluigi.org/fakep/lfsfp.zip ### == 4) Fix == The only thing that the developers have been able to tell me is that the bugs will be fixed in Patch Y (yes I have asked for a release date but they don't know it)... that's really stupid since a quick fix was the best choice moreover considering the auto-patching system of the game. ####### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Babo Violent 2 2.08.00
### Luigi Auriemma Application: Babo Violent 2 http://www.rndlabs.ca http://baboviolent.net Versions: <= 2.08.00 Platforms:Windows and Linux Bugs: A] crash through malformed value B] format string C] crash through unexistent map D] crash through malformed UDP packet Exploitation: A, B and C versus server (both dedicated and game) D versus both clients and server Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Babo Violent 2 is a famous free multiplayer game developed by RndLabs (now under bitHeads). ### === 2) Bugs === A] crash through malformed value The data with ID 0xca, 0xcb, 0xcc, 0xce, 0xcf and 0xd0 have a first byte which if is set to a value major or equal than 0x28 (this number can change) causes the crash of the program. In my tests doesn't seem possible to use this bug for executing remote code although some registers change their values using different data after this byte. B] format string The output function used by the server is vulnerable to a format string bug exploitable through the messages and the admin login. An easy way to test the problem is through the sending of a message containing %x. --- C] crash through unexistent map --- If the client specifies a map which is not available, the server will terminate due to the exception (stream != NULL). What the server does is calling fopen() with the value passed by the client plus the .bvm extension in the map folder (note that if the filename is not NULLed there will be many garbage bytes before the extension). - D] crash through malformed UDP packet - Both the servers and the clients open another port other than which is 1, this port is used for LAN queries and by clients. In short each UDP packet is composed by a 16 bit number which specifies the size of the data in the packet. It's enough to send a small UDP packet with a big 16 bit value for forcing the program (client or server) to read outside the available memory of the packet causing a crash: memcpy(buffer_of_65536, packet + 9, *(uint16_t *)(packet + 7)); Note that all the IP addresses of the clients are visibile in the server through the "playerlist" command, so an attacker can decide to "kick" only the players he wants or all of them or just the entire server. Note: the password protection in servers doesn't seem to work very well that's why sometimes these in-game bugs can be exploited also in protected servers without knowing the needed keyword, it's enough to reconnect if the connection closes... and be lucky. Another interesting thing is that the sender of the chat messages is specified by the client so is possible to spoof any message. ### === 3) The Code === http://aluigi.org/poc/bv2x.zip ### == 4) Fix == I have posted the details of the bugs on dev.baboviolent.net about ten days ago but nobody has done something. ####### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Crash in Zoidcom 0.6.7
### Luigi Auriemma Application: Zoidcom http://www.zoidcom.com Versions: <= 0.6.7 (some older version could be not vulnerable) Platforms:Windows, Linux and Mac Bug: crash Exploitation: remote Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Zoidcom is an interesting network library studied for the minimal usage of bandwidth. ### == 2) Bug == The library can be crashed remotely through a malformed connection packet which forces the code to perform a double-delete of the data used for tracing the connection. ### === 3) The Code === http://aluigi.org/poc/zoidboom2.zip ### == 4) Fix == the bug will be fixed in version 0.6.8 ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in Conquest client 8.2a (svn 691)
###
Luigi Auriemma
Application: Conquest
http://www.radscan.com/conquest.html
Versions: <= 8.2a (svn 691)
Platforms:*nix and Windows
Bugs: A] buffer-overflow in metaGetServerList()
B] memory corruption through SP_CLIENTSTAT
Exploitation: local and remote, versus the client
Date: 07 Mar 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Conquest is a multi-player game which can be defined the predecessor of
Netrek (http://www.netrek.org).
Note that on some distros (like Debian) the conquest's binaries are
marked setgid for the conquest group.
###
===
2) Bugs
===
-
A] buffer-overflow in metaGetServerList()
-
The Conquest client has an option (-m) for the querying of the
metaserver conquest.radscan.com on which are listed the servers
currently online but the program allows the usage of alternative
metaservers too.
The function which reads the data received from the metaserver is
affected by a stack based buffer-overflow which happens during the
storing of the line containing the server's entry in a buffer (buf) of
1024 bytes.
The best exploitation of this bug is for local users who want to
escalate their privileges gaining the conquest group.
At the same time exists also another buffer-overflow which affects the
static servers buffer limited to 1000 (META_MAXSERVERS) max servers,
anyway doesn't seem possible to fully exploit this second bug for code
execution.
from meta.c:
int metaGetServerList(char *remotehost, metaSRec_t **srvlist)
{
static metaSRec_t servers[META_MAXSERVERS];
...
char buf[1024]; /* server buffer */
...
off = 0;
while (read(s, &c, 1) > 0)
{
if (c != '\n')
{
buf[off++] = c;
}
else
{ /* we got one */
buf[off] = 0;
/* convert to a metaSRec_t */
if (str2srec(&servers[nums], buf))
nums++;
...
--
B] memory corruption through SP_CLIENTSTAT
--
SP_CLIENTSTAT is a type of packet used by the server for sending some
informations about the ships and the users.
In this packet are located two numbers which are not correctly
sanitized by the client:
- unum: 16 bit, used for the Users structure
- snum: 8 bit, used for the Ships structure
Both the structures are placed in the cBasePtr buffer allocated at
runtime with 262144 (SIZEOF_COMMONBLOCK) bytes of memory: Users at
offset 388 where each element has a size of 264 bytes (total 132000)
and Ships at offset 141040 with 1124 bytes per element (total 23604).
In both the cases is possible to write one or more bytes in some zones
of the memory outside the original structures and the cBasePtr buffer,
but I think that code execution is practically impossible...
The following are the instructions used for handling the SP_CLIENTSTAT
packet and where is easily visible the writing of the scstat->team
value sent by the server:
case SP_CLIENTSTAT:
scstat = (spClientStat_t *)buf;
Context.snum = scstat->snum;
Context.unum = (int)ntohs(scstat->unum);
Ships[Context.snum].team = scstat->team;
clientFlags = scstat->flags;
break;
###
===
3) The Code
===
A]
- launch a fake metaserver which sends more than 1024 chars:
perl -e 'print "a"x1200' | nc -l -p 1700 -v -v -n
- launch the client specifying the alternate metaserver:
conquest -m -M 127.0.0.1
- interrupt the fake metaserver, conquest should have been crashed
trying to executing the code at offset 0x61616161
B]
- get the source code of the server, modify the scstat.snum or
scstat.unum value in the sendClientStat function located in server.c
giving them values like 0xff (for snum) or htons(0x) (for unum)
depending by what of the two bugs you want to test:
scstat.type = SP_CLIENTSTAT;
scstat.flags = flags;
- scstat.snum = snum;
+ scstat.snum = 0xff;
scstat.team = team;
scstat.unum = htons(unum);
scstat.esystem = esystem;
- compile the new server, launch it and join with a client which will
crash after the login
###
==
4) Fix
==
SVN 693
####
[Full-disclosure] Limited format string in Netrek 2.12.0
###
Luigi Auriemma
Application: Netrek
http://www.netrek.org
Versions: <= 2.12.0 (Vanilla server)
Platforms:*nix and Windows
Bug: format string
Exploitation: remote (in-game)
Date: 02 Mar 2007
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Netrek is a well known real-time strategy game inspired to Star Trek.
###
==
2) Bug
==
The Vanilla server is affected by a format string vulnerability caused
by the calling of the pmessage2() function without the needed format
argument.
The bug is located in new_warning() and can be exploitated through the
locking of a player (the same attacker too) who is using a malformed
nickname.
Note that the EVENTLOG switch must be enabled for exploiting this
vulnerability (default is disabled).
from ntserv/warning.c:
void new_warning(int index, const char *fmt, ...) {
char temp[150];
va_list args;
va_start(args, fmt);
vsprintf(temp, fmt, args);
...
if (eventlog) {
char from_str[9]="WRN->\0\0\0";
strcat(from_str, me->p_mapchars);
pmessage2(0, 0, from_str, me->p_no, temp);
}
###
===
3) The Code
===
http://aluigi.org/poc/netrekfs.zip
###
==
4) Fix
==
Version 2.12.1
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Players disconnection in Simbin racing games
### Luigi Auriemma Applications: games developed by SimBin Development Team http://www.simbin.se Versions: GTR - FIA GT Racing Game <= 1.5.0.0 http://www.gtr-game.com GT Legends <= 1.1.0.0 http://www.gt-legends.com GTR 2 <= 1.1 http://www.gtr-game.com RACE - The WTCC Game<= 1.0 (0.6.3.0?) http://www.race-game.org Platforms:Windows Bug: clients disconnection Exploitation: remote, versus clients Date: 21 Feb 2007 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Simbin is a well known software house specialized in the developing of racing games deeply devopted to extreme simulation. All their games are very recent, GTR was released in November 2004 while Race WTCC exactly two years later. ### == 2) Bug == The problem is very simple, an UDP packet of zero bytes (empty) sent to the main port of the server (usually 48942 for Race WTCC and 34297 for the other games) forces the disconnection of all the clients connected to it. The attacker needs only to send one packet (spoofing possible) and the clients in the game will be immediately kicked with the message "Lost connection with the Host". Then they can re-join again... but can be re-kicked in the same way too. ### === 3) The Code === - get udpsz from here: http://aluigi.org/testz/udpsz.zip - launch it versus the server: udpsz 127.0.0.1 34297 0 for GTR, GTR2 and GT Legends udpsz 127.0.0.1 48942 0 for Race WTCC - check what happened to the clients connected to it ### == 4) Fix == No fix. No reply received from the developers. ### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple buffer-overflows in libmusicbrainz 2.1.2
###
Luigi Auriemma
Application: libmusicbrainz
http://musicbrainz.org/doc/libmusicbrainz
Versions: <= 2.1.2 and <= SVN 8406 (current SVN)
Platforms:Windows, *nix, *BSD, Mac and others
Bugs: A] buffer-overflow in MBHttp::Download
B] various buffer-overflows in rdfparse.c
Exploitation: remote
Date: 13 Aug 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
libmusicbrainz (aka mb_client) is an open source library used in many
multimedia programs for querying MusicBrainz servers.
###
===
2) Bugs
===
--
A] buffer-overflow in MBHttp::Download
--
A malicious MusicBrainz web server can exploit a buffer-overflow in the
Download function of the library through a big redirect HTTP reply
(Location).
This bug can be exploited also in other local ways since the problem is
located in the instructions which handle the URL's hostname.
>From lib/http.cpp:
Error MBHttp::Download(const string &url, const string &xml, bool fileDownload)
{
Error result = kError_InvalidParam;
char hostname[kMaxHostNameLen + 1];
char targethostname[kMaxHostNameLen + 1];
char proxyname[kMaxURLLen + 1];
...
const char *ptr;
hostname[0] = 0;
numFields = sscanf(url.c_str(),
"http://%[^:/]:%hu";, hostname, &port);
strcpy(targethostname, hostname);
ptr = strchr(url.c_str() + 7, '/');
file = string(ptr ? ptr : "");
...
// 3xx: Redirection - Further action must be taken in order to
// complete the request
case '3':
{
char* cp = strstr(buffer, "Location:");
//int32 length;
if(cp)
{
cp += 9;
if(*cp == 0x20)
cp++;
char *end;
for(end = cp; end < buffer + total; end++)
if(*end=='\r' || *end == '\n') break;
*end = 0x00;
...
result = Download(string(cp), xml, fileDownload);
}
...
-
B] various buffer-overflows in rdfparse.c
-
The instructions in lib/rdfparse.c which parse the RDF data received
from the server are affected by various buffer-overflows exploitable
with long URLs (like a big rdf:resource field) copied in buffers of 256
bytes.
For example in parse_uri the len parameter containing the size of
buffer (one of the base_buffer or reference_buffer buffers of 256 bytes
declared in resolve_uri_reference) is not checked so a long URI will
cause a buffer overflow.
The same function which calls parse_uri is affected by other buffer
overflows for the same reason, the length value is not verified.
Same problem for resolve_id and many other functions.
###
===
3) The Code
===
http://aluigi.org/poc/brainzbof.zip
usage examples:
A] nc -l -p 80 -v -v -n < brainzbof_a.txt
B] nc -l -p 80 -v -v -n < brainzbof_b.txt
###
==
4) Fix
==
A new version will be released soon
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Stack and heap overflows in MODPlug Tracker/OpenMPT 1.17.02.43 and libmodplug 0.8
###
Luigi Auriemma
Application: OpenMPT (aka MODPlug Tracker)
http://modplug.sourceforge.net
http://www.modplug.com
libmodplug
http://modplug-xmms.sourceforge.net
Versions: OpenMPT<= 1.17.02.43 and current SVN
libmodplug <= 0.8 and current CVS
Platforms:Windows
*nix, *BSD, XMMS plugin and others
Bugs: A] various global buffer overflows in ReadITProject
B] heap overflow in ReadSample
Exploitation: local
Date: 09 Aug 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
MODPlug Tracker, and naturally its more recent open source version
OpenMPT, is one of the coolest music trackers which supports many music
module types too.
libmodplug instead is a Linux library created from the OpenMPT source
and mainly used for the ModPlug-XMMS plugin.
###
===
2) Bugs
===
---
A] various global buffer overflows in ReadITProject
---
All the text fields in the ITP files are not sanitized so is possible
to overflow the global variables through this function and possibly
executing malicious code (confirmed in my tests).
Note: ITP files are not supported in libmodplug
>From soundlib/Load_it.cpp:
BOOL CSoundFile::ReadITProject(LPCBYTE lpStream, DWORD dwMemLength)
{
...
// Song name
// name string length
memcpy(&id,lpStream+streamPos,sizeof(DWORD));
len = id;
streamPos += sizeof(DWORD);
// name string
memcpy(&m_szNames[0],lpStream+streamPos,len);
streamPos += len;
...
(other overflows)
...
--
B] heap overflow in ReadSample
--
In some modules the ReadSample function can be used to cause a heap
overflow through an invalid nLength value.
As visible by the code below, nLength is incremented of 6 bytes (mem)
and in some cases its value is multiplicated by two, the final value is
then used to allocate pIns->pSample (FYI AllocateSample allocates
"(nbytes + 39) & ~7" and returns the pointer plus 16).
An attacker, after having forced the program to allocate 0 bytes, will
be able to overflow the memory through the memcpy instructions which
will copy (depending by nFlags) all the remaining bytes in the file.
The best type of module for exploiting this vulnerability seems to be
AMF.
>From soundlib/Sndfile.cpp:
UINT CSoundFile::ReadSample(MODINSTRUMENT *pIns, UINT nFlags, LPCSTR lpMemFile,
DWORD dwMemLength)
//
{
UINT len = 0, mem = pIns->nLength+6;
if ((!pIns) || (pIns->nLength < 4) || (!lpMemFile)) return 0;
if (pIns->nLength > MAX_SAMPLE_LENGTH) pIns->nLength = MAX_SAMPLE_LENGTH;
...
if ((pIns->pSample = AllocateSample(mem)) == NULL)
...
default:
len = pIns->nLength;
if (len > dwMemLength) len = pIns->nLength = dwMemLength;
memcpy(pIns->pSample, lpMemFile, len);
}
...
###
===
3) The Code
===
http://aluigi.org/poc/mptho.zip
###
==
4) Fix
==
A new version will be released soon
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple buffer-overflows in AlsaPlayer 0.99.76
###
Luigi Auriemma
Application: AlsaPlayer
http://www.alsaplayer.org
Versions: <= 0.99.76 and current CVS
Platforms:*nix and others
Bugs: A] buffer-overflow in reconnect's redirection
B] buffer-overflow in GTK playlist
C] buffer-overflow in cddb_lookup
Exploitation: remote and local
Date: 09 Aug 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
AlsaPlayer is a well known and used open source media player originally
built around the Alsa drivers.
###
==
2) Bug
==
-
A] buffer-overflow in reconnect's redirection
-
The function which handles the HTTP connections is vulnerable to a
buffer-overflow that happens when it uses sscanf for copying the URL in
the Location's field received from the server into the redirect buffer
of only 1024 bytes declared in http_open.
>From reader/http/http.c:
static int reconnect (http_desc_t *desc, char *redirect)
{
char request [2048];
char response [10240];
...
} else if (rc == 302) {
s = strstr(response, "302");
if (s) {
//alsaplayer_error("%s", s);
s = strstr(response, "Location: ");
if (s && redirect) {
/* Parse redirect */
if (sscanf(s, "Location: %[^\r]", redirect)) {
/* alsaplayer_error("Redirection: %s", redirect); */
}
}
return 1;
}
...
--
B] buffer-overflow in GTK playlist
--
A buffer-overflow exists in the functions which add items to the
playlist when the GTK interface is used (so the other interfaces are
not affected by this problem): new_list_item and CbUpdated in
interface/gtk/PlaylistWindow.cpp.
The best way for exploiting this bug is through the following URLs
(perfect, for example, if AlsaPlayer is the default player of the web
browser):
http://a(more_than_1024_chars)a
or
http://127.0.0.1/a(more_than_1024_chars)a.mp3
-
C] buffer-overflow in cddb_lookup
-
AlsaPlayer automatically queries the CDDB server specified in its
configuration (by default freedb.freedb.org) when the user choices the
CDDA function for playing audio CDs.
The function which queries the server uses a buffer of 20 bytes and one
of 9 for storing the category and ID strings received from the server
while the buffer which contains this server's response is 32768 bytes
long.
Naturally for exploiting this bug the attacker must have control of the
freedb server specified in the AlsaPlayer's configuration.
>From input/ccda/cdda_engine.c:
char * cddb_lookup (char *address, char *char_port, int discID, struct
cd_trk_list *tl)
{
int port = atoi (char_port);
int server_fd, i, j, n;
int total_secs = 0, counter = 0;
char *answer = NULL, *username, *filename, categ[20], newID[9];
char msg[BUFFER_SIZE], offsets[BUFFER_SIZE], tmpbuf[BUFFER_SIZE];
char hostname[MAXHOSTNAMELEN], server[80];
...
/* copy the match to the category */
j = 0;
while (answer[i] != ' ')
categ[j++] = answer[i++];
categ[j++] = '\0';
/* copy the new cdID */
j = 0;
i++;
while (answer[i] != ' ')
newID[j++] = answer[i++];
newID[j++] = '\0';
}
...
###
===
3) The Code
===
http://aluigi.org/poc/alsapbof.zip
usage examples:
A] nc -l -p 80 -v -v -n < alsapbof_a.txt
B] alsaplayer http://`perl -e 'print "a"x2000'`
C] nc -l -p 888 -v -v -n < alsapbof_c.txt
###
==
4) Fix
==
I have tried to contact the developer some days ago but seems that the
program is no longer supported (the latest version is three years old).
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in DConnect Daemon 0.7.0 (CVS 30 Jul 2006)
###
Luigi Auriemma
Application: DConnect Daemon
http://www.dc.ds.pg.gda.pl
Versions: <= 0.7.0 and CVS <= 30 Jul 2006
Platforms:Windows, *nix, *BSD and others
Bugs: A] listen_thread_udp buffer-overflow
B] dc_chat NULL pointer
C] various format string bugs (privileges needed)
Exploitation: remote
Date: 06 Aug 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
DConnect Daemon is an open source P2P server for the Direct Connect
protocol.
###
===
2) Bugs
===
A] listen_thread_udp buffer-overflow
The main function which handles the UDP packets is affected by a
buffer-overflow vulnerability which happens when a nickname longer than
32 (NICK_LEN) chars is received.
The UDP port is disabled by default, the min_slots parameter in
dcd.conf must be enabled for using this service.
>From main.c:
void listen_thread_udp(void *args)
...
char *ip=NULL, bufor[10001], *cmd=NULL, *nick=NULL, *s_slots=NULL,
*__strtok_temp__=NULL, nick_prev[NICK_LEN], *filename;
...
if (!i)nick_prev[0]=0;
else strcpy(nick_prev,nick);
...
---
B] dc_chat NULL pointer
---
The dc_chat function used for handling the messages received from the
clients leads to a crash caused by usr->nick which points to NULL if
the client has not sent its nickname yet (so it's enough to send a
message as first command for exploiting this bug).
>From cmd.dc.c:
void dc_chat(dc_param_t *param)
{
userrec_t *usr = param->usr;
...
if (strcmp(cmd,usr->nick))
...
-
C] various format string bugs (privileges needed)
-
privmsg and pubmsg are two functions used to send messages to one or
more users.
Both the functions require a format argument (like printf) which is
missed in some parts of the code.
These format string vulnerabilities can be exploited only if the
attacker has superior user or administrator privileges.
>From cmd.user.c:
void chat_msg(chat_param_t *param)
...
if (user[n]!=usr) pubmsg(user[n],msg);
...
void chat_msg_all(chat_param_t *param)
...
pubmsg(NULL,par);
...
void chat_msg_prv(chat_param_t *param)
...
if (user[n]!=usr) privmsg(user[n],NULL,msg);
...
void chat_msg_prv_all(chat_param_t *param)
...
privmsg(NULL,NULL,msg);
...
>From penalties.c:
void penalprvmsg(userrec_t *to, char *op, char *fmt, ...)
...
privmsg(to,op,str);
...
>From cmd.dc.c:
void dc_OpForceMove(dc_param_t *param)
...
privmsg(usr,NULL,msg);
...
###
===
3) The Code
===
http://aluigi.org/poc/dconnx.zip
###
==
4) Fix
==
CVS 31 Jul 2006:
cvs -d:pserver:[EMAIL PROTECTED]:/home/cvsroot get dc-hub
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Open Cubic Player 2.6.0pre6 / 0.1.10_rc5
###
Luigi Auriemma
Application: Open Cubic Player
http://www.cubic.org/player/
http://stian.lunafish.org/coding-ocp.php
Versions: DOS/Windows <= 2.6.0pre6
Linux/*BSD <= 0.1.10_rc5
Platforms:DOS, Windows, *nix, *BSD and others
Bugs: A] buffer-overflow in mpLoadS3M
B] buffer-overflow in itload.cpp
C] buffer-overflow in mpLoadULT
D] double buffer-overflow in mpLoadAMS
Exploitation: local
Date: 31 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Open Cubic Player (OCP) is an open source music player started in the
far 1994 but still used and supported.
###
===
2) Bugs
===
The programs (both the original source and its *nix fork) are affected
by the following vulnerabilities:
---
A] buffer-overflow in mpLoadS3M
---
Buffer-overflow caused by the reading of an huge amount of data (orders
and the other values have a signed type so a negative value like -1 is
the same of 0x, and naturally is possible to use also positive
number of max 32767) in buffers of only 256 elements.
>From playgmd/gmdls3m.cpp:
extern "C" int mpLoadS3M(gmdmodule &m, binfile &file)
...
struct
...
short orders,ins,pats,flags,cwt,ffv;
...
m.patnum=hdr.orders;
...
unsigned char orders[256];
unsigned short inspara[256];
unsigned short patpara[256];
unsigned long smppara[256];
unsigned char defpan[32];
file.read(orders, m.patnum);
...
B] buffer-overflow in itload.cpp
>From playit/itload.cpp:
int itplayerclass::module::load(binfile &file)
...
unsigned short nords;
unsigned short nins;
unsigned short nsmps;
unsigned short npats;
...
unsigned char ords[256];
unsigned long sampoff[100];
unsigned long insoff[100];
unsigned long patoff[200];
file.read(ords, hdr.nords);
file.read(insoff, hdr.nins*4);
file.read(sampoff, hdr.nsmps*4);
file.read(patoff, hdr.npats*4);
...
---
C] buffer-overflow in mpLoadULT
---
>From playgmd/gmdlult.cpp:
extern "C" int mpLoadULT(gmdmodule &m, binfile &file)
...
unsigned char chnn;
unsigned char patn;
chnn=file.getc();
patn=file.getc();
m.channum=chnn+1;
unsigned char panpos[32];
if (ver>=2)
file.read(panpos, m.channum);
...
--
D] double buffer-overflow in mpLoadAMS
--
Here exist two vulnerabilities, the first one happens during the
reading of the data array in the envs structure.
data is an array of 64*3 bytes but the program allows the reading of
255*3 bytes causing a buffer-overflow.
The second vulnerability instead happens during the reading of the name
of each pattern where patname is a buffer of only 11 bytes that must
containing the attacker's data which can reach a length of 255 bytes.
>From playgmd/gmdlams.cpp:
extern "C" int mpLoadAMS(gmdmodule &m, binfile &file)
...
struct
{
unsigned char speed;
unsigned char sustain;
unsigned char loopstart;
unsigned char loopend;
unsigned char points;
unsigned char data[64][3];
} envs[3];
unsigned short envflags;
file.read(samptab, 120);
for (j=0; j<3; j++)
{
file.read(&envs[j], 5);
file.read(envs[j].data, envs[j].points*3);
}
... (second bug) ...
namelen=file.getc();
patlen-=3+namelen;
char patname[11];
file.read(patname, namelen);
...
###
===
3) The Code
===
http://aluigi.org/poc/ocpbof.zip
###
==
4) Fix
==
The bugs will be fixed in the next versions.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Heap overflow in the GT2 loader of libmikmod 3.2.2
###
Luigi Auriemma
Application: libmikmod
http://mikmod.raphnet.net
http://sourceforge.net/projects/mikmod/
Versions: <= 3.2.2 and current CVS
versions 2.x.x and all the others in which the GT2 file
format isn't implemented are not vulnerable
Platforms:Windows, POSIX, Mac
Bug: heap overflow in GT2's loadChunk
Exploitation: local
Date: 24 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
libmikmod is a library mainly used by Mikmod for playing different
types of audio modules (669, amf, asy, dsm, far, gdm, gt2, imf, it,
m15, med, mod, mtm, okt, s3m, stm, stx, ult, uni and xm).
###
==
2) Bug
==
GT2 is the GRAOUMF TRACKER module file format
(http://thorkildsen.no/faqsys/docs/gt2-form.txt).
During the handling of the XCOM chunk (a field which contains an extra
comment) libmikmod reads the 32 bit number which specifies the size of
the comment and then allocates an amount of memory equal to this value
plus one, probably for an optional but unused NULL byte at the end of
the comment.
The result is that the library allocates about zero bytes of memory
("about" since MikMod_malloc allocates 20 bytes more than the desired
size) if an attacker uses the value 0x (0x + 1 = 0) and
then tries to read the amount of memory specified by the size value
overflowing the allocated memory.
>From loaders/load_gt2.c:
GT_CHUNK *loadChunk(void)
...
if (!memcmp(new_chunk, "XCOM", 4)) {
new_chunk->xcom.chunk_size = _mm_read_M_ULONG(modreader);
new_chunk->xcom.comment_len = _mm_read_M_ULONG(modreader);
new_chunk->xcom.comment = MikMod_malloc(new_chunk->xcom.comment_len +
1);
_mm_read_UBYTES(new_chunk->xcom.comment, new_chunk->xcom.comment_len,
modreader);
return new_chunk;
}
...
###
===
3) The Code
===
http://aluigi.org/poc/lmmgt2ho.zip
###
==
4) Fix
==
No fix.
No reply from the developers.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two crash vulnerabilities in Freeciv 2.1.0-beta1 (SVN 15 Jul 2006)
###
Luigi Auriemma
Application: Freeciv
http://www.freeciv.org
Versions: <= 2.1.0-beta1 and SVN <= 15 Jul 2006
Platforms:Windows, *nix, *BSD, MacOS and more
Bugs: A] memcpy crash in generic_handle_player_attribute_chunk
B] invalid memory access in handle_unit_orders
Exploitation: remote, versus server
Date: 23 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Freeciv is an open source clone of the well known Civilization game.
The game supports also online gaming through its own metaserver (which
can be seen on the web too) and GGZ (http://www.ggzgamingzone.org).
###
===
2) Bugs
===
A] memcpy crash in generic_handle_player_attribute_chunk
handle_player_attribute_chunk (which points to
generic_handle_player_attribute_chunk) is a function used by both
client and server when a PACKET_PLAYER_ATTRIBUTE_CHUNK packet is
received.
The function acts like a reassembler of data for an allocated buffer
which can have a size of max 262144 bytes.
Exist two problems in this function:
- the length of the current chunk received (chunk_length) is not
verified so using a negative value an attacker can bypass the initial
check and can copy a huge amount of data ((unsigned)chunk_length) in
the data buffer with the subsequent crash
- the check "chunk->offset + chunk->chunk_length > chunk->total_length"
can be bypassed using a very big positive offset like 0x7fff
which will allow the copying of data from our packet to the memory
located at the malformed offset of the allocated buffer.
Doesn't seem possible to execute malicious code with this bug since
the destination memory is usually invalid
>From common/packets.c:
void generic_handle_player_attribute_chunk(struct player *pplayer,
const struct
packet_player_attribute_chunk
*chunk)
{
freelog(LOG_DEBUG, "received attribute chunk %d/%d %d", chunk->offset,
chunk->total_length, chunk->chunk_length);
if (chunk->total_length < 0
|| chunk->total_length >= MAX_ATTRIBUTE_BLOCK
|| chunk->offset < 0
|| chunk->offset + chunk->chunk_length > chunk->total_length
|| (chunk->offset != 0
&& chunk->total_length != pplayer->attribute_block_buffer.length)) {
/* wrong attribute data */
if (pplayer->attribute_block_buffer.data) {
free(pplayer->attribute_block_buffer.data);
pplayer->attribute_block_buffer.data = NULL;
}
pplayer->attribute_block_buffer.length = 0;
freelog(LOG_ERROR, "Received wrong attribute chunk");
return;
}
/* first one in a row */
if (chunk->offset == 0) {
if (pplayer->attribute_block_buffer.data) {
free(pplayer->attribute_block_buffer.data);
pplayer->attribute_block_buffer.data = NULL;
}
pplayer->attribute_block_buffer.data = fc_malloc(chunk->total_length);
pplayer->attribute_block_buffer.length = chunk->total_length;
}
memcpy((char *) (pplayer->attribute_block_buffer.data) + chunk->offset,
chunk->data, chunk->chunk_length);
...
--
B] invalid memory access in handle_unit_orders
--
The server's function handle_unit_orders doesn't check the maximum
size of the packet->length value which should not be bigger than 2000
(MAX_LEN_ROUTE) while is possible for an attacker to use any positive
number.
The crash could require different tries (usually 3) before happening.
>From server/unithand.c:
void handle_unit_orders(struct player *pplayer,
struct packet_unit_orders *packet)
{
struct unit *punit = player_find_unit_by_id(pplayer, packet->unit_id);
struct tile *src_tile = map_pos_to_tile(packet->src_x, packet->src_y);
int i;
if (!punit || packet->length < 0 || punit->activity != ACTIVITY_IDLE) {
return;
}
if (src_tile != punit->tile) {
/* Failed sanity check. Usually this happens if the orders were sent
* in the previous turn, and the client thought the unit was in a
* different position than it's act
[Full-disclosure] Buffer-overflow in recvTextMessage and NETrecvFile in Warzone Resurrection 2.0.3 (SVN 127)
###
Luigi Auriemma
Application: Warzone Resurrection
http://home.gna.org/warzone/
(Warzone 2100 http://www.strategyplanet.com/warzone2100/)
Versions: <= 2.0.3 and SVN <= 127
Platforms:Windows, *nix, *BSD and others
Bug: A] buffer-overflow in recvTextMessage
B] buffer-overflow in NETrecvFile
Exploitation: A] remote, versus server
B] remote, versus client
Date: 22 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Warzone 2100 is a well known commercial game developed by Pumpkin
Studios and released under the GPL license at the end of 2004.
Warzone Resurrection is the project which continues the development and
the maintaining of this game.
###
==
2) Bug
==
-
A] buffer-overflow in recvTextMessage
-
recvTextMessage is the function used by the server for handling the
text messages sent by the clients.
This function uses the msg buffer, which has a size of 256
(MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to
send to all the other clients using the following format:
player_name : message
The size of the data block can be max 8000 (MaxMsgSize) bytes so an
attacker can cause a buffer-overflow for crashing the server or
executing malicious code.
>From src/multiplay.c:
BOOL recvTextMessage(NETMSG *pMsg)
{
DPIDdpid;
UDWORD i;
STRING msg[MAX_CONSOLE_STRING_LENGTH];
NetGet(pMsg,0,dpid);
for(i = 0; NetPlay.players[i].dpid != dpid; i++);
//findplayer
strcpy(msg,NetPlay.players[i].name);
// name
strcat(msg," : ");
// seperator
strcat(msg, &(pMsg->body[4]));
...
-
B] buffer-overflow in NETrecvFile
-
The NETrecvFile function used by the clients for downloading remote
files is affected by a buffer-overflow caused by the copying of a
string of max 255 bytes in the fileName buffer of only 128 bytes.
>From lib/netplay/netplay.c:
UBYTE NETrecvFile(NETMSG *pMsg)
{
UDWORD pos, fileSize, currPos, bytesRead;
charfileName[128];
unsigned intlen;
static PHYSFS_file *pFileHandle;
//read incoming bytes.
NetGet(pMsg,0,fileSize);
NetGet(pMsg,4,bytesRead);
NetGet(pMsg,8,currPos);
// read filename
len = (unsigned int)(pMsg->body[12]);
memcpy(fileName,&(pMsg->body[13]),len);
...
###
===
3) The Code
===
A]
modify sendTextMessage using a message of more than 256 bytes
B]
modify sendMap using a map of more than 128 bytes
###
==
4) Fix
==
SVN 128
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in the XM loader of Cheese Tracker 0.9.9
###
Luigi Auriemma
Application: Cheese Tracker
http://reduz.com.ar/cheesetracker/
http://sourceforge.net/projects/cheesetronic
Versions: <= 0.9.9 and current CVS
Platforms:*nix and others
Bug: buffer-overflow in Loader_XM::load_instrument_internal
Exploitation: local
Date: 23 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Cheese Tracker is a well known music tracker for the CT, IT, XM and S3M
file formats.
###
==
2) Bug
==
The XM loader used by Cheese Tracker is affected by a buffer-overflow
vulnerability which happens when it tries to store the exceeding data
available in the input file in the junkbuster buffer of only 500 bytes.
>From cheesetracker/loaders/loader_xm.cpp:
Loader::Error Loader_XM::load_instrument_internal(Instrument *p_instr,bool
p_xi,int p_cpos, int p_hsize, int p_sampnum) {
...
if (!p_xi) {
if ((reader.get_file_pos()-p_cpos)http://aluigi.org/poc/cheesebof.zip
###
==
4) Fix
==
No fix.
No reply from the developers.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in UFO2000 svn 1057
###
Luigi Auriemma
Application: UFO2000
http://ufo2000.sourceforge.net
Versions: <= SVN 1057
Platforms:Windows, *nix, *BSD, Mac and more
Bugs: A] buffer-overflow in recv_add_unit
B] invalid memory access in decode_stringmap
C] possible code execution through arrays
D] SQL injection
E] mapdata global buffer overflow
Exploitation: A] remote, versus client
B] remote, versus server
C] remote, versus client
D] remote, versus server
E] remote, versus client
Date: 16 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
UFO2000 is a multiplayer turn based game based on the X-COM series.
###
===
2) Bugs
===
---
A] buffer-overflow in recv_add_unit
---
The command used for adding units (just the first command used at the
beginning of the challenge) is affected by a buffer-overflow
vulnerability which happens during the copying of the incoming data to
the name buffer of only 26 bytes.
>From multiplay.cpp:
int Net::recv_add_unit()
{
int num;
char name[26];
int cost;
pkt >> num;
pkt >> name;
...
B] invalid memory access in decode_stringmap
When a packet is received the server calls decode_stringmap which is
used for reading the number of informations (keys and values) contained
in the incoming data block and for their subsequent reading.
Here exist two problems:
- invalid size values can lead to the reading of the unallocated memory
after the packet and to the subsequent crash of the server (for
example keysize says to read 100 bytes while the packet is only 2
bytes long)
- the server terminates if keysize or valsize are too big and cannot be
allocated with the resize function
>From server_transport.cpp:
bool decode_stringmap(std::map &info, const void
*buffer)
{
const unsigned char *p = (const unsigned char *)buffer;
unsigned int num = decode_unsigned_int(p);
while (num--) {
unsigned int keysize = decode_unsigned_int(p);
unsigned int valsize = decode_unsigned_int(p);
std::string key;
key.resize(keysize);
std::string val;
val.resize(valsize);
for (unsigned int i = 0; i < keysize; i++)
key[i] = decode_unsigned_char(p);
for (unsigned int i = 0; i < valsize; i++)
val[i] = decode_unsigned_char(p);
info[key] = val;
}
return true;
}
-
C] possible code execution through arrays
-
Some commands can be used for crashing the remote client/opponent
through invalid values (too big or negative) used for moving into the
internal arrays of the game.
Another effect is the possibility to execute malicious code, in fact
the game uses large numbers (usually signed 32 bit values) which can be
used to reach any location of the memory, then these commands allow
the writing of the data contained in the packet into these locations
like what happens with "pkt >> scenario->rules[index]" where our 32 bit
number (pkt >>) is copied in the location chosed by us with index.
These commands are recv_rules, recv_select_unit (select_unit checks
only if num if major not minor), recv_options and recv_unit_data (with
a negative value or minor than 19).
>From multiplay.cpp:
int Net::recv_rules()
{
int index;
pkt >> index;
pkt >> scenario->rules[index];
...
D] SQL injection
The server uses an internal SQL database for handling accounts and
other informations about the matches.
In the points where is used the user's input and the %s format argument
instead of %q could be possible to inject own SQL commands in the query
prepared by the server.
>From server_protocol.cpp:
bool ServerClientUfo::recv_packet(NLuint id, const std::string &raw_packet)
...
case SRV_GAME_REPLAY_REQUEST: {
send_packet_back(SRV_GAME_RECOVERY_START, "1");
try {
debug_game_id = atol(packet.c_str());
sqlite3::reader reader=db_conn.executereader("select command,
packet_type, id from ufo2000_game_packets where game=%s order by id;&
[Full-disclosure] Various heap and stack overflow bugs in AdPlug library 2.0 (CVS 04 Jul 2006)
###
Luigi Auriemma
Application: AdPlug
http://adplug.sourceforge.net
Versions: <= 2.0 and CVS <= 04 Jul 2006
Platforms:Windows, DOS, *nix, *BSD and more
Bugs: A] heap overflow in the unpacking of CFF files
B] heap overflow in the unpacking of MTK files
C] heap overflow in the unpacking of DMO files
D] buffer-overflow in DTM files
E] buffer-overflow in S3M files
F] heap overflow in the unpacking of U6M files
Exploitation: local
Date: 06 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
AdPlug is an open source library used for playing many Adlib file
formats.
It also includes some programs and plugins for Winamp and XMMS.
###
===
2) Bugs
===
The library is affected by various heap and stack overflow
vulnerabilities.
As intuitable by the types of bugs almost all the unpacking
instructions don't verify the size of the destination buffers and trust
in the values provided by the same files which are used for allocating
the needed buffers (except in the CFF files where it has a fixed size).
The following are the parts of bugged code:
--
A] heap overflow in the unpacking of CFF files
--
>From cff.cpp:
bool CcffLoader::load(const std::string &filename, const CFileProvider &fp)
...
f->readString(header.id, 16);
header.version = f->readInt(1); header.size = f->readInt(2);
header.packed = f->readInt(1); f->readString((char *)header.reserved, 12);
if (memcmp(header.id,"""\x1A\xDE\xE0",16))
{ fp.close(f); return false; }
unsigned char *module = new unsigned char [0x1];
// packed ?
if (header.packed)
{
cff_unpacker *unpacker = new cff_unpacker;
unsigned char *packed_module = new unsigned char [header.size + 4];
memset(packed_module,0,header.size + 4);
f->readString((char *)packed_module, header.size);
fp.close(f);
if (!unpacker->unpack(packed_module,module))
...
--
B] heap overflow in the unpacking of MTK files
--
>From mtk.cpp:
bool CmtkLoader::load(const std::string &filename, const CFileProvider &fp)
...
// read header
f->readString(header.id, 18);
header.crc = f->readInt(2);
header.size = f->readInt(2);
// file validation section
if(strncmp(header.id,"[EMAIL PROTECTED]",18))
{ fp.close(f); return false; }
// load section
cmpsize = fp.filesize(f) - 22;
cmp = new unsigned char[cmpsize];
org = new unsigned char[header.size];
for(i = 0; i < cmpsize; i++) cmp[i] = f->readInt(1);
fp.close(f);
while(cmpptr < cmpsize) { // decompress
...
--
C] heap overflow in the unpacking of DMO files
--
>From dmo.cpp:
#define ARRAY_AS_WORD(a, i) ((a[i + 1] << 8) + a[i])
...
bool CdmoLoader::load(const std::string &filename, const CFileProvider &fp)
...
// get file size
long packed_length = fp.filesize(f);
f->seek(0);
unsigned char *packed_module = new unsigned char [packed_length];
// load file
f->readString((char *)packed_module, packed_length);
fp.close(f);
// decrypt
unpacker->decrypt(packed_module,packed_length);
long unpacked_length = 0x2000 * ARRAY_AS_WORD(packed_module, 12);
unsigned char *module = new unsigned char [unpacked_length];
// unpack
if (!unpacker->unpack(packed_module+12,module))
...
---
D] buffer-overflow in DTM files
---
>From dtm.cpp:
bool CdtmLoader::load(const std::string &filename, const CFileProvider &fp)
...
char bufstr[80];
for (i=0;i<16;i++)
{
// get line length
unsigned char bufstr_length = f->readInt(1);
// read line
if (bufstr_length)
{
f->readString(bufstr,bufstr_length);
for (j=0;jFrom s3m.cpp:
bool Cs3mPlayer::load(const std::string &filename, const CFileProvider &fp)
...
unsigned shortinsptr[99],pattptr[99];
...
f->seek(checkhead->ordnum, binio::Add);
for(i = 0; i < checkhead->insnum; i++)
ins
[Full-disclosure] Possible code execution in Kaillera 0.86
###
Luigi Auriemma
Application: Kaillera
http://www.kaillera.com
Versions: <= 0.86
Platforms:Windows, Linux and FreeBSD
Bug: buffer-overflow
Exploitation: remote, versus server
Date: 06 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Kaillera is a middleware software for implementing network capabilities
in emulators like MAME, MameLang32+, Bliss, NESten, Jnes, Nemu64,
Modeler, Gens, WinUAE, PCAE, Kawaks and possibly others.
Although the latest server's version has been released over 4 years ago
it's still widely used as demonstrated by the online servers lists.
###
==
2) Bug
==
The handling of almost all the Kaillera messages is made through the
reading of the first NULL terminated string and the subsequent reading
of the remaining data in the message (its content will be parsed in
another step).
For these operations Kaillera uses a static buffer of 32 bytes and a
data buffer which is reallocated everytime that the size of the client
message is bigger than the actual allocated size of the buffer.
The instructions which handle these types of messages start from about
offset 004019f1 of the Windows server 0.86:
004019F1 |. 33C9 XOR ECX,ECX
004019F3 |. 8A06 MOV AL,BYTE PTR DS:[ESI]
004019F5 |. 57 PUSH EDI
004019F6 |. 84C0 TEST AL,AL
004019F8 |. 74 0C JE SHORT KAILLERA.00401A06
004019FA |> 46 /INC ESI
004019FB |. 88440B 04 |MOV BYTE PTR DS:[EBX+ECX+4],AL
004019FF |. 41 |INC ECX
00401A00 |. 8A06 |MOV AL,BYTE PTR DS:[ESI]
00401A02 |. 84C0 |TEST AL,AL
00401A04 |.^75 F4 \JNZ SHORT KAILLERA.004019FA
00401A06 |> 8B6C24 18 MOV EBP,DWORD PTR SS:[ESP+18]
00401A0A |. C64419 04 00 MOV BYTE PTR DS:[ECX+EBX+4],0
00401A0F |. 2BE9 SUB EBP,ECX
00401A11 |. 8BCB MOV ECX,EBX
00401A13 |. 83ED 02SUB EBP,2
00401A16 |. 55 PUSH EBP
00401A17 |. E8 D4FCCALL KAILLERA.004016F0
00401A1C |. 8B7B 24MOV EDI,DWORD PTR DS:[EBX+24]
00401A1F |. 8BCD MOV ECX,EBP
00401A21 |. 8BD1 MOV EDX,ECX
00401A23 |. 46 INC ESI
00401A24 |. C1E9 02SHR ECX,2
00401A27 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
which can be traduced (plus or less) in C like the following code:
static char nick[32],
*data;
...
int nick_size,
data_size;
for(nick_size = 0; *client_msg; nick_size++, client_msg++) {
nick[nick_size] = *client_msg;
}
nick[nick_size] = 0;
client_msg++;
data_size = (client_msg_size - nick_size) - 2;
data = 004016f0(data_size);// realloc data if needed
memcpy(data, client_msg, data_size);
...
004016f0(int size) {
if(size <= data_alloc_size) return;
do {
data_alloc_size <<= 1;
} while(size > data_alloc_size);
data = realloc(data, data_alloc_size);
}
If an attacker uses a nickname longer than 32 bytes he can overwrite
the address of the data buffer and the value in which is stored its
actual allocated size, the following scheme shows that piece of memory:
| | |
| | amount of data currently allocated
| pointer to the data buffer
static buffer of 32 bytes
With the overwriting of we can bypass the first check made by the
function at offset 004016f0 which does a realloc of the buffer if
needed since we control the actual allocated size and then we can
decide where copying the rest of our message in the memory of the
server since the address of data is controlled by us too.
That leads to the possibility of executing malicious code.
###
===
3) The Code
===
http://aluigi.org/poc/kailleraex.zip
###
==
4) Fix
==
The developers will release a new version soon
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string bug in Sparklet 0.9.4try3
###
Luigi Auriemma
Application: Sparklet
http://sparklet.sourceforge.net
Versions: <= 0.9.4try3
Platforms:Windows, *nix, *BSD and more
Bug: format string in client's display
Exploitation: remote, versus clients
Date: 06 Jul 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Sparklet is a nice multiplayer 2d shooting game released under the GPL
license.
###
==
2) Bug
==
The game is affected by a format string vulnerability located in the
function which visualizes the text strings on the client screen during
the match.
The problem is located in agl_text.cpp where is missed the "%s" format
argument:
void WriteText(const Point &DstLoc, const std::string &Text, const int
&Font, const ULONG &Color) {
...
allegro_gl_printf_ex(fnt, x, y, 0, Text.c_str());
...
Through this bug an attacker on a server or a client (the server is not
vulnerable since it simply forwards all the received data to all the
clients connected to it) can crash or execute malicious code versus any
client which is playing on the server.
###
===
3) The Code
===
Use the nickname %n%n%n%n%n
###
==
4) Fix
==
A new version will be released soon
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Re: Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
A small correction: The cd-key stealing is not possible since the master server address is built-in in the client code. Sorry for this wrong info, I added it almost two weeks ago while taking note of the possible ways for exploitating these bugs and forgot to recheck this method. I have updated the proof-of-concept simply adding the cl_allowdownload cvar, so is no longer needed to enable "Automatic Downloading" on the client since any client with this option disabled or enabled will start to overwrite any file in the system decided by the server of the attacker which has full control over the client's cvars (those write protected too, just like fs_homepath). As already said the PoC is very very basic, relaunch the server or change map if you want to re-overwrite the same file on the same client (useless info, I tell you only in case you are not able to re-overwrite the same file during the same server session and don't know why). BYEZ --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com http://www.icculus.org/quake3/ Versions: Quake 3 <= 1.32c Icculus.org Quake 3 <= revision 803 other derived projects Games:exist many games which use the Quake 3 engine and probably they are all vulnerable but I'm not able and have no time to test them. An enough complete list of these games is available here: http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine Platforms:Windows, *nix, *BSD, Mac and others Bugs: A] files overwriting through Automatic Downloading B] cvars overwriting with possible information stealing Exploitation: remote, versus client Date: 27 Jun 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === The Quake 3 engine is the famous game engine developed by id Software (http://www.idsoftware.com) in the far 1999 but is still one of the most used, licensed and played engines. It has been released open source under the GPL license some months ago and now it's mainly maintained by Icculus (http://www.icculus.org/quake3/) although exist many other derived projects. ### === 2) Bugs === -- A] files overwriting through Automatic Downloading -- The Quake 3 engine supports an option called "Automatic Downloading" which allows the clients to automatically download the PK3 files (maps and mods) available on the server but not locally. This option is disabled by default for security reasons and Icculus Quake 3 is actually the only version of the engine which uses an anti directory traversal check for avoiding the overwriting of system files. Anyway this check can be bypassed through the bug B described in this advisory, so an attacker can overwrite any file in any disk of the computer in which Quake 3 is running. The following is a short description of the mechanism used by the "Auto Downloading" option for downloading a PK3 file from a server: - server sends the list of the checksums and names of the PK3 files currently in use: sv_referencedPaks and sv_referencedPakNames these informations (cvars) are contained in the systemInfo string - the client compares the server's filenames and checksums with its own - every unavailable or different PK3 file is added to the neededpaks buffer using the Q_strcat function (for avoiding possible buffer-overflow vulnerabilities) with the limitation of 64 chars for each filename and the adding of the .pk3 extension to each remote and local filename following the format: @[EMAIL PROTECTED] - the client starts to automatically download each file (remotename), saves it (localname) with the temporary .tmp extension and then renames it with the name available in the localname field seen before The usage of Q_strcat allows a malicious server to avoid the adding of the .pk3 extension (needed for security reasons) to the last filename of the neededpaks buffer if the length of 1023 bytes is reached: @[EMAIL PROTECTED]@[EMAIL PROTECTED] So the latest .pk3 extension of the local filename is not added if the total length of the string reaches this limit, that's all the bug. The client truncates the filenames at maximum 64 bytes before adding the .pk3 extension so we need to specify some useless files before our target file for reaching the 1023 bytes limit. The result is that a malicious server can overwrite all the files contained in the folder pointed by the fs_homepath cvar of the client or can create new files with any possible extension. By default fs_homepath (where are stored the configuration files, the Punkbuster files and others) is the ~/.q3a folder in Linux and the Quake 3 folder in Windows BUT, as hinted before, we can modify it through the B vulnerability which follows. --- B] cvars overwriting with possible information stealing --- The same string sent by the server containing the sv_referencedPaks and sv_referencedPakNames cvars (variables) described in the previous bug contains also many other cvars which are automatically set on the client when the player joins the server (this is a fixed feature of the engine, cannot be disabled and is not related to the Autom
[Full-disclosure] Client buffer-overflow in Quake 3 engine (1.32c / rev 795)
###
Luigi Auriemma
Application: Quake 3 engine
http://www.idsoftware.com
http://www.icculus.org/quake3/
Versions: Quake 3 <= 1.32c
Icculus.org Quake 3 <= revision 795
other derived projects
Games:exist many games which use the Quake 3 engine and
probably they are all vulnerable but I'm not able and
have no time to test them.
An enough complete list of these games is available here:
http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms:Windows, *nix, *BSD, Mac and others
Bug: buffer-overflow in CL_ParseDownload
Exploitation: remote, versus client
Date: 02 Jun 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.
###
==
2) Bug
==
The CL_ParseDownload function located in code/client/cl_parse.c is used
by the clients for handling the download commands (svc_download)
received from the server.
The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN)
bytes:
void CL_ParseDownload ( msg_t *msg ) {
int size;
unsigned char data[MAX_MSGLEN];
...
size = MSG_ReadShort ( msg );
if (size > 0)
MSG_ReadData( msg, data, size );
...
Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but
is possible to bypass this limit through the huffman compression used
automatically and trasparently in the engine (thanx to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00)
bytes, which occupy a very small amount of space, followed by the
usual "stuff" (return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes
to avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so
the client can be attacked also immediately after the ending of the
connect handshake (just the first server's message).
###
===
3) The Code
===
The server must be modified for sending the malformed svc_download
command and is possible to use the following instructions which
demonstrate how to overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the
"// send the gamestate" comment at about line 575:
// send the gamestate
int i;
MSG_WriteByte( &msg, svc_download );
MSG_WriteShort( &msg, -1 ); // block != 0, for fast return
MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
for(i = 0; i < 16384; i++) {// overwrite the data buffer
MSG_WriteByte(&msg, 0x00); // 0x00 for saving space
}
for(i = 0; i < 32; i++) { // do the rest of the job
MSG_WriteByte(&msg, 'a'); // return address: 0x61616161
}
SV_SendMessageToClient( &msg, client );
return;
###
==
4) Fix
==
Icculus will fix the code soon.
I have tried to contact id Software too but it's only time lost...
The developers of the other derived projects and games have not been
contacted (almost all the games are no longer supported and it's a bit
long for me to find and contact each single developer of the other
open source projects).
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in the WebTool service of PunkBuster for servers (minor than v1.229)
### Luigi Auriemma Application: PunkBuster http://www.punkbuster.com Versions: PunkBuster for servers, versions minor than v1.229: America's Army <= v1.228 Battlefield 1942<= v1.158 Battlefield 2 <= v1.184 Battlefield Vietnam <= v1.150 Call of Duty<= v1.173 Call of Duty 2 <= v1.108 DOOM 3 <= v1.159 Enemy Territory <= v1.167 Far Cry <= v1.150 F.E.A.R.<= v1.093 Joint Operations<= v1.187 Quake III Arena <= v1.150 Quake 4 <= v1.181 Rainbow Six 3: Raven Shield <= v1.169 Rainbow Six 4: Lockdown <= v1.093 Return to Castle Wolfenstein<= v1.175 Soldier of Fortune II <= v1.183 Platforms:Win32, Linux and Mac Bug: buffer overflow in the built-in web server for the remote server's administration (WebTool) Exploitation: remote, versus server Date: 23 May 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === PunkBuster is the anti-cheat system developed by Even Balance (http://www.evenbalance.com) officially used and distribuited in almost all the most played and famous commercial multiplayer FPS games. ### == 2) Bug == PunkBuster contains a built-in HTTP server called WebTool for allowing the admins to manage their game servers remotely through a normal web browser: http://www.evenbalance.com/publications/admins/#webtool This web server is not enabled by default but must be activated selecting the TCP port on which running the service using the command: pb_sv_httpport PORT The authentication mechanism is handled through a parameter called webkey followed by the password and sent by the client using the POST method or directly in the URL. A webkey longer than 1024 bytes exploits a buffer-overflow which happens when the program uses the memcpy function for copying the attacker string in a limited buffer used for the comparison with the valid service's password. The following is the code from the pbsv.dll 1.183 of the game Soldier of Fortune II where happens the exception which interrupts the game: ... 0511B3A8 8BB424 5810 MOV ESI,DWORD PTR SS:[ESP+1058] 0511B3AF 8D4424 18LEA EAX,DWORD PTR SS:[ESP+18] 0511B3B3 6A 41PUSH 41 0511B3B5 50 PUSH EAX 0511B3B6 C68424 5510 >MOV BYTE PTR SS:[ESP+1055],0 0511B3BE FF96 5401CALL DWORD PTR DS:[ESI+154] 0511B3C4 8BBC24 6410 MOV EDI,DWORD PTR SS:[ESP+1064] ... The ESI register is controlled by the attacker. The memcpy function described above instead is located at offset 0512aea7. ### === 3) The Code === Send the following text file to the port on which is running PunkBuster WebTool: http://aluigi.org/poc/pbwebbof.txt or simply build and use a link like the following: http://127.0.0.1:80/pbsvweb/plist=1&webkey=a...1044...aaa ### == 4) Fix == Versions v1.229 and above. ####### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Server termination in netPanzer 0.8 (rev 952)
###
Luigi Auriemma
Application: netPanzer
http://www.netpanzer.org
http://netpanzer.berlios.de
Versions: <= 0.8 (rev 952)
Platforms:*nix, *BSD, Windown, Mac and others
Bug: server termination
Exploitation: remote, versus server
Date: 23 May 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
netPanzer is a nice and well known open source multiplayer strategy
game.
###
==
2) Bug
==
The game is affected by a denial of service which happens when a client
uses a flag (called also frameNum) major than 41 since the setFrame
function in src/Lib/2D/Surface.hpp checks if this number is minor than
frameCount:
void setFrame(const float &frameNum)
{
assert(frameNum >= 0.0);
assert(frameNum < frameCount);
mem = frame0 + (pix.y * stride) * int(frameNum);
}
The result is the immediate interruption of the server:
netpanzer: src/Lib/2D/Surface.hpp:370: void Surface::setFrame(const
float&): Assertion `frameNum < frameCount' failed. Received signal
SIGABRT(6) aborting and trying to shutdown.
Closing logfile.
Aborted
###
===
3) The Code
===
http://aluigi.org/poc/panza.zip
###
==
4) Fix
==
No fix.
No reply from the developers.
#######
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Two heap overflow in libextractor 0.5.13 (rev 2832)
###
Luigi Auriemma
Application: libextractor
http://gnunet.org/libextractor/
Versions: <= 0.5.13 (rev 2832)
Platforms:*nix, *BSD, Windows and more
Bugs: A] heap overflow in asfextractor
B] heap overflow in qtextractor
Exploitation: local
Date: 17 May 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
libextractor is a library which allows to search meta-data in different
file formats.
It's used in some programs and it's required for GnuNET
(http://gnunet.org).
###
===
2) Bugs
===
A] heap overflow in asfextractor
The demux_asf_t structure is allocated when the plugin is launched,
subsequently is performed a call to asf_read_header which reads all the
header of the input file arriving to the handling (depending by the
file) of GUID_ASF_STREAM_PROPERTIES and then CODEC_TYPE_AUDIO.
Here we have the arbitrary copying of an amount of data, specified by
the 32 bit numer called total_size, from the ASF file to the wavex
buffer of 1024*2 bytes.
The total_size value is read from the same file and no checks are
performed on its size so is possible to cause a heap overflow.
>From src/plugins/asfextractor.c:
static int asf_read_header(demux_asf_t *this) {
...
total_size = get_le32(this);
stream_data_size = get_le32(this);
stream_id = get_le16(this); /* stream id */
get_le32(this);
if (type == CODEC_TYPE_AUDIO) {
ext_uint8_t buffer[6];
readBuf (this, (ext_uint8_t *) this->wavex, total_size);
...
---
B] heap overflow in qtextractor
---
An heap overflow exists also in the plugin which handles the QT/MOV
files.
The problem is located in the parse_trak_atom function and is caused by
the allocation of a buffer using a specific amount of bytes chosen by
the attacker on which is then called memcpy using another amount of
data provided ever by the same input file.
>From src/plugins/qtextractor.c:
static qt_error parse_trak_atom (qt_trak *trak,
unsigned char *trak_atom) {
...
trak->stsd_size = current_atom_size;
trak->stsd = realloc (trak->stsd, current_atom_size);
memset (trak->stsd, 0, trak->stsd_size);
/* awful, awful hack to support a certain type of stsd atom that
* contains more than 1 video description atom */
if (BE_32(&trak_atom[i + 8]) == 1) {
/* normal case */
memcpy (trak->stsd, &trak_atom[i], current_atom_size);
hack_adjust = 0;
} else {
/* pathological case; take this route until a more definite
* solution is found: jump over the first atom video
* description atom */
/* copy the first 12 bytes since those remain the same */
memcpy (trak->stsd, &trak_atom[i], 12);
/* skip to the second atom and copy it */
hack_adjust = BE_32(&trak_atom[i + 0x0C]);
memcpy(trak->stsd + 12, &trak_atom[i + 0x0C + hack_adjust],
BE_32(&trak_atom[i + 0x0C + hack_adjust]));
...
###
===
3) The Code
===
http://aluigi.org/poc/libextho.zip
###
==
4) Fix
==
The bug in the ASF plugin has been fixed in revision 2827 while that in
QT in 2833.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Socket unreachable in GNUnet rev 2780
### Luigi Auriemma Application: GNUnet http://www.gnunet.org Versions: <= 0.7.0d and revision 2780 Platforms:Windows, *nix, *BSD, Mac and more Bug: UDP socket unreachable Exploitation: remote Date: 12 May 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:aluigi.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === >From the website: "GNUnet is a framework for secure peer-to-peer networking that does not use any centralized or otherwise trusted services. A first service implemented on top of the networking layer allows anonymous censorship-resistant file-sharing." ### == 2) Bug == The asynchronous mode used for the UDP socket is handled through FIONREAD. If an empty UDP packet (zero bytes) is received the program enters in an endless loop where other UDP packets cannot handled and the CPU reaches the 100% of usage. More info about this specific bug are available here: http://aluigi.org/adv/socket_unreachable_info.txt ### === 3) The Code === http://aluigi.org/testz/udpsz.zip udpsz 127.0.0.1 2068 0 ### == 4) Fix == SVN revision 2781. ####### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Outgun 1.0.3 bot 2
###
Luigi Auriemma
Application: Outgun
http://koti.mbnet.fi/outgun/
Versions: <= 1.0.3 bot 2
Platforms:Windows, *nix, *BSD and more
Bugs: A] data_file_request buffer-overflow
B] exception with big data
C] invalid memory access in messages handling
D] harmless buffer-overflow on a global variable in
changeRegistration
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Outgun is an open source 2D capture-the-flag game with multiplayer
support for LAN and Internet through a centralized master server.
###
===
2) Bugs
===
A] data_file_request command buffer-overflow
The game supports the downloading of map files directly from the server
in which the clients want to play.
The request for the downloading of the map is composed by the command
data_file_request and two text strings for the type and name of the
requested file.
The buffers in which the server stores these two strings have a size of
64 and 256 bytes and the function readString doesn't check the length
of the destination buffer during the copying.
>From src/servnet.cpp:
void ServerNetworking::incoming_client_data(int id, char *data, int length) {
...
else if (code == data_file_request) {
char ftype[64];
char fname[256];
readString(msg, count, ftype);
readString(msg, count, fname);
...
--
B] exception with big data
--
The leetnet functions used in the game for handling the packets
automatically raise an exception (throw) if a data bigger than 512
(DATA_BUF_SIZE) bytes is received.
The effect is the immediate interruption of the game.
>From src/leetnet/rudp.cpp:
class data_ci : public data_c {
public:
//allocated length, used length
int alen, ulen;
//data buffer
char buf[DATA_BUF_SIZE];
//extend buffer to fit additional len
void extend(int len) {
if (len + ulen > DATA_BUF_SIZE) {
throw 66677;
}
...
-
C] invalid memory access in messages handling
-
The leetnet functions support a maximum amount of 64 messages in each
incoming packet but no checks are made for avoiding the reading of the
unallocated memory after the packet if an attacker uses wrong message
sizes.
>From src/leetnet/rudp.cpp:
virtual char* process_incoming_packet(int *size, bool *special) {
...
NLulong msgid;
NLshort msgsize;
for (i=0; iadd_reliable(msgid, (udp_data + count), msgsize); //data
}
...
--
D] harmless buffer-overflow on a global variable in changeRegistration
--
changeRegistration is the function for handling the changing of the
registration informations of the clients.
This function uses strcpy for copying the client's token in a buffer of
64 bytes located in the global array of the clients informations.
During my tests (limited by the problem described in bug B) was not
possible to exploit this bug for crashing the server but I was only
able to modify some of the informations of the other players in the
server.
>From src/servernet.cpp:
bool Server::changeRegistration(int id, const string& token) {
const int intoken = atoi(token.c_str());
if (intoken == client[id].intoken)
return false;
// v0.4.9 FIX : IF HAD previous token have/valid, then FLUSH his stats
network.client_report_status(id);
strcpy(client[id].token, token.c_str());
...
###
===
3) The Code
===
http://aluigi.org/poc/outgunx.zip
###
==
4) Fix
==
Some of the bugs will be fixed in the next "bot" release.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Server crash in Empire 4.3.2
###
Luigi Auriemma
Application: Empire
http://www.wolfpackempire.com
http://sourceforge.net/projects/empserver
Versions: <= 4.3.2
Platforms:Windows, *nix, *BSD and more
Bug: crash caused by strncat misuse
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
Empire is a well known multiplayer Internet war game.
###
==
2) Bug
==
The bug is a server's crash caused by the access to an invalid zone of
the memory.
That happens due to the misuse of strncat in the client_cmd function
for adding the text strings sent by the attacker to the player->client
buffer.
>From lib/player/login.c:
static int
client_cmd(void)
{
int i;
if (!player->argp[1])
return RET_SYN;
for (i = 1; player->argp[i]; ++i) {
if (i > 1)
strncat(player->client, " ", sizeof(player->client) - 1);
strncat(player->client, player->argp[i], sizeof(player->client) - 1);
}
player->client[sizeof(player->client) - 1] = '\0';
pr_id(player, C_CMDOK, "talking to %s\n", player->client);
return RET_OK;
}
###
===
3) The Code
===
http://aluigi.org/poc/empiredos.zip
###
==
4) Fix
==
Current CVS has been patched.
Anyway the following is the diff created by the developers:
--- login.c.~1.37.~ 2006-04-26 20:50:40.0 +0200
+++ login.c 2006-05-09 08:36:04.0 +0200
@@ -133,17 +133,23 @@ player_login(void *ud)
static int
client_cmd(void)
{
-int i;
+int i, sz;
+char *p, *end;
if (!player->argp[1])
return RET_SYN;
+p = player->client;
+end = player->client + sizeof(player->client) - 1;
for (i = 1; player->argp[i]; ++i) {
if (i > 1)
- strncat(player->client, " ", sizeof(player->client) - 1);
- strncat(player->client, player->argp[i], sizeof(player->client) - 1);
+ *p++ = ' ';
+ sz = strlen(player->argp[i]);
+ sz = MIN(sz, end - p);
+ memcpy(p, player->argp[i], sz);
+ p += sz;
}
-player->client[sizeof(player->client) - 1] = '\0';
+*p = 0;
pr_id(player, C_CMDOK, "talking to %s\n", player->client);
return RET_OK;
}
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and NULL pointer crash in Genecys 0.2
###
Luigi Auriemma
Application: Genecys
http://www.genecys.org
Versions: <= 0.2 and current CVS
Platforms:*nix and *BSD
Bugs: A] tell_player_surr_changes buffer-overflow
B] parse_command NULL pointer crash
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Genecys is an open source MMORPG project.
###
===
2) Bugs
===
---
A] tell_player_surr_changes buffer-overflow
---
The function tell_player_surr_changes is affected by a buffer-overflow
which could allow an attacker to execute malicious code.
The problem is caused by the usage of sprintf and strcat on buffers of
256 bytes.
>From server/player.c:
int tell_player_surr_changes(event_t *event)
{
pl_known_t *known, *knext;
object_t *obj;
char buf[256], buf2[256],b2[40];
obj = event->initiator;
for (known=TAILQ_FIRST(&obj->pl->known); known != NULL; known = knext) {
knext = TAILQ_NEXT(known, next);
if (!event->action)
known->lu--;
if (known->bits > 0) {
sprintf(buf, "chob id:%s", uid_sprint(b2, &known->uid));
if (known->bits & PLKN_NROF) {
sprintf(buf2, " nrof:%d", known->nrof);
strcat(buf, buf2);
}
if (known->bits & PLKN_STATE) {
sprintf(buf2, " st:%d", known->state);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAME) {
sprintf(buf2, " nm:\"%s\"", known->name);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAMEPL) {
sprintf(buf2, " nmp:\"%s\"", known->name_pl);
strcat(buf, buf2);
}
if (known->bits & PLKN_MODEL) {
sprintf(buf2, " mdl:\"%s\"", known->model);
strcat(buf, buf2);
}
...
Note: has not been possible to test this bug in practice due to some
problems while running my test server.
---
B] parse_command NULL pointer crash
---
The function which parses the commands sent by the client doesn't check
the return value of a strchr call used for parsing the commands and
their values (CMD:VAL).
If the attacker doesn't use the ':' char the server will crash due to
the access to a NULL pointer.
>From common/netparser.c:
pargs_t *parse_command(char **words, int *command, int count)
{
argtable_t *asp, dummy;
char *cp, *tmp, *p;
size_t span;
...
args = safer_malloc(sizeof(pargs_t)*numargs);
cur = 0;
for (i=1; i < count && words[i] != NULL && *words[i]; i++) {
span = strcspn(words[i], ":");
tmp = strchr(words[i], ':');
tmp++;
...
###
===
3) The Code
===
http://aluigi.org/poc/genecysbof.zip
###
==
4) Fix
==
No fix.
No reply from the developers... the game seems no longer supported.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Raydium rev 309
###
Luigi Auriemma
Application: Raydium
http://raydium.org
Versions: <= SVN revision 309
(newer versions can be vulnerable to some of the bugs
which are still unfixed)
Platforms:Windows, *nix, *BSD and others
Bugs: A] buffer-overflow in raydium_log and
raydium_console_line_add
B] format string in raydium_log
C] NULL function pointer in raydium_network_netcall_exec
D] buffer-overflow and invalid memory access in
raydium_network_read
Exploitation: A] remote, versus server and client
B] remote, versus server and client
C] remote, versus server and client
D] remote, versus client
Date: 12 Maj 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:aluigi.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Raydium is a complete open source game engine with multiplayer support
and many other important and interesting features.
###
===
2) Bugs
===
--
A] buffer-overflow in raydium_log and raydium_console_line_add
--
The logging function of Raydium is very used in all the engine.
For example everytime a client tries to join the server it logs the
event in the console:
raydium_log("network: client %i connected as
%s"/*,inet_ntoa(from->sin_addr)*/,n,name);
This useful function is affected by a buffer-overflow bug where the
local buffer str of 255 (RAYDIUM_MAX_NAME_LEN) bytes is filled using
the unsecure sprintf function.
The size of the input packet is 512 (RAYDIUM_NETWORK_PACKET_SIZE)
bytes of which 508 are available for the text to use for exploiting the
vulnerability.
From raydium/log.c:
// need to be secured
void raydium_log(char *format, ...)
{
char str[RAYDIUM_MAX_NAME_LEN];
va_list argptr;
va_start(argptr,format);
vsprintf(str,format,argptr);
va_end(argptr);
printf("Raydium: %s\n",str);
if(raydium_log_file) fprintf(raydium_log_file,"%s\n",str);
raydium_console_line_add(str);
}
Similar thing for raydium_console_line_add:
From raydium/console.c:
// need to secure this one too
void raydium_console_line_add(char *format, ...)
{
char str[RAYDIUM_MAX_NAME_LEN];
va_list argptr;
va_start(argptr,format);
vsprintf(str,format,argptr);
va_end(argptr);
raydium_console_line_last++;
if(raydium_console_line_last>=RAYDIUM_CONSOLE_MAX_LINES)
raydium_console_line_last=0;
strcpy(raydium_console_lines[raydium_console_line_last],str);
}
---
B] format string in raydium_log
---
The same raydium_log function described above is affected also by a
format string vulnerability caused by the calling of
raydium_console_line_add passing directly the text string without the
required format argument:
raydium_console_line_add(str);
C] NULL function pointer in raydium_network_netcall_exec
The function raydium_network_netcall_exec is called by
raydium_network_read for selecting the specific function to use for
handling the type of packet received.
The raydium_network_netcall_type array is initialized with the type -1
so if the attacker uses the type 0xff the function will try to call
raydium_network_netcall_func which is still initialized with a NULL
pointer.
The effect is the crash of the program.
>From raydium/network.c:
...
for(i=0;iFrom raydium/network.c:
signed char raydium_network_read(int *id, signed char *type, char *buff)
...
strcpy(raydium_network_server_list[slot].name,name);
...
strcpy(raydium_network_server_list[slot].info,info);
...
i=buff[RAYDIUM_NETWORK_PACKET_OFFSET];
strcpy(raydium_network_name[i],buff+RAYDIUM_NETWORK_PACKET_OFFSET+1);
...
###
===
3) The Code
===
http://aluigi.org/poc/raydiumx.zip
###
==
4) Fix
==
Some of the bugs have been fixed in the current SVN and the others will
be fixed soon.
###
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.h
[Full-disclosure] Format string bug in Skulltag 0.96f
### Luigi Auriemma Application: Skulltag http://www.skulltag.com Versions: <= 0.96f Platforms:Windows Bug: format string Exploitation: remote, versus server Date: 23 Apr 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Skulltag is a well known and supported Doom engine mainly based on Zdoom and focused on online gaming. Unfortunately it's released as closed source although it uses open source code. ### == 2) Bug == The server is affected by a format string vulnerability exploitable when a client passes a wrong version string. The following are the bugged instructions in the 0.96f executable: * Reference To: MSVCRT.sprintf, Ord:02B2h | :004DCCC3 8B3D30415900mov edi, dword ptr [00594130] :004DCCC9 8D4C2424lea ecx, dword ptr [esp+24] :004DCCCD 50 push eax ; client's version :004DCCCE 51 push ecx ; buffer :004DCCCF FFD7call edi ; sprintf() traduced in: sprintf(buffer, version_sent_by_the_client); The exploitation happens "outside" the server so there are no banning and password limitations for the attacker. The only so called obstacle happens when the server is full because it can't be attacked during this (rare) state. A note about the possible code execution, the subsequent instructions use the strupr function which converts almost all the chars in the string to upper cases. ### === 3) The Code === http://aluigi.altervista.org/poc/skulltagfs.zip ### == 4) Fix == The developer has been contacted and has fixed the bug only in his private development version which will be released probably this summer. So there is no fix available. Fortunately the bug is enough simple to fix so I have created an unofficial patch which adds the argument "%s" to sprintf. This solution is enough since is not possible to overflow the buffer (so no need of snprintf or "%.*s"): http://aluigi.altervista.org/patches/skulltagfs-fix.zip ####### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Denial of service bugs in OpenTTD 0.4.7
###
Luigi Auriemma
Application: OpenTTD
http://www.openttd.org
Versions: <= 0.4.7
Platforms:Windows, *nix, *BSD, Mac and others
Bugs: A] program termination through big error number
B] broadcast clients disconnection in multiplayer menu
Exploitation: A] remote, versus server and client (in-game)
B] remote, versus clients (broadcast)
Date: 23 Apr 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
OpenTTD is a widely played open source clone of the old Transport
Tycoon Deluxe game.
Supports LAN and Internet multiplayer.
###
===
2) Bugs
===
---
A] program termination through big error number
---
Both client and server handle a type of command (PACKET_SERVER_ERROR
and PACKET_CLIENT_ERROR) for the visualization of some pre-built errors
in the console.
The problem happens when an attacker sends an invalid big error number
(8 bit) which forces the program to terminate spontaneously through the
usage of the error() function.
The bug is exploitable only in-game so the attacker must have access to
the server: his IP must not be banned, he must know the password if it
has been set and the server must not be full.
>From strings.c:
char *GetStringWithArgs(char *buffr, uint string, const int32 *argv)
{
uint index = GB(string, 0, 11);
uint tab = GB(string, 11, 5);
...
if (index >= _langtab_num[tab]) {
error(
"!String 0x%X is invalid. "
"Probably because an old version of the .lng file.\n",
string
);
}
return FormatString(buffr, GetStringPtr(GB(string, 0, 16)), argv,
GB(string, 24, 8));
}
--
B] broadcast clients disconnection in multiplayer menu
--
Clients are affected by an harmless bug when they handle UDP packets.
The first 2 bytes of each UDP packet are a 16 bit number which
specifies the size of the packet.
If this value in a received packet is invalid (for example too small)
the client returns immediately to the main menu.
This bug becomes problematic when a malicious server visible in the
master server list sends invalid replies to the queries sent from the
clients which want to play online and will be no longer able to do it
due to the returning to the main menu.
###
===
3) The Code
===
http://aluigi.altervista.org/poc/openttdx.zip
###
==
4) Fix
==
The current SVN and nightly builds (pre-compiled for many platforms)
have been fixed:
http://www.openttd.org/nightly.php
These new versions (major/equal than r4531) fix also a garbage problem
which causes the termination of the server on some machines when the
attacker uses a big nickname (major than NETWORK_CLIENT_NAME_LENGTH).
#######
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and crash in Fenice OMS 1.10
###
Luigi Auriemma
Application: Fenice - Open Media Streaming Server
http://streaming.polito.it/server
Versions: <= 1.10 and current SVN 2005-07-26
Platforms:*nix, *BSD and others
Bugs: A] buffer-overflow in parse_url
B] crash in RTSP_msg_len
Exploitation: remote
Date: 23 Apr 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Fenice is the name of the Open Media Streaming Server (OMS) developed
by the italian team of the Politecnico di Torino University.
This open source server implements the RTSP, RTP and RTCP protocols.
###
===
2) Bugs
===
---
A] buffer-overflow in parse_url
---
The RTSP module of Fenice uses a function (parse_url) for retrieving
the server, the port and the filename contained in the URI sent by the
client.
This function uses some strcpy calls for filling the server and
file_name buffers passed by the main function allowing an attacker to
use the consequent buffer-overflow vulnerability for executing possible
malicious code.
>From rtsp/parse_url.c:
int parse_url(const char *url, char *server, unsigned short *port, char
*file_name)
// Note: this routine comes from OMS
{
/* expects format '[rtsp://server[:port/]]filename' */
...
strcpy(server, token);
...
token = strtok(NULL, " ");
if (token)
strcpy(file_name, token);
...
char *token = strtok(full, " \t\n");
if (token) {
strcpy(file_name, token);
server[0] = '\0';
valid_url = 1;
}
}
free(full);
return valid_url;
}
B] crash in RTSP_msg_len
The function which handles the Content-Length field sent by the client
doesn't check the size/sign of this parameter.
In the function RTSP_msg_len we can see the ml variable used to contain
the number of bytes in the header and bl for the Content-Length value.
When the end of the client's request is reached the program adds bl to
ml.
If bl (Content-Length) is a big value like 2147483647 or more ml will
become a negative number (ml is a signed integer like all the other
variables there) and the subsequent check "ml > rtsp->in_size" will be
bypassed.
The result is the reading access to an invalid zone of the memory which
will cause the immediate crash of the server.
>From rtsp/RTSP_msg_len.c:
void RTSP_msg_len(int *hdr_len, int *body_len, RTSP_buffer * rtsp)
// This routine is from OMS.
{
int eom;/* end of message found */
int mb; /* message body exists */
int tc; /* terminator count */
int ws; /* white space */
int ml; /* total message length including any message
body */
int bl; /* message body length */
char c; /* character */
char *p;
eom = mb = ml = bl = 0;
while (ml <= rtsp->in_size) {
...
if (eom) {
ml += bl; /* add in the message body length */
break; /* all done finding the end of the message. */
}
if (ml >= rtsp->in_size)
break;
...
if (sscanf(&(rtsp->in_buffer[ml]), "%d", &bl)
!= 1) {
fnc_log(FNC_LOG_FATAL,"invalid
ContentLength encountered in message.");
exit(-1);
}
}
}
}
if (ml > rtsp->in_size) {
fnc_log(FNC_LOG_FATAL,"buffer did not contain the entire RTSP
message.");
exit(-1);
}
...
*hdr_len = ml - bl;
for (tc = rtsp->in_size - ml, p = &(rtsp->in_buffer[ml]); tc && (*p ==
'\0'); p++, bl++, tc--);
*body_len = bl;
}
###
===
3) The Code
===
A] GET /[about 320 'a's] HTTP/1.0
B] G
[Full-disclosure] Re: Buffer-overflow in [EMAIL PROTECTED] 1.0.1 viewer and server
[EMAIL PROTECTED] wrote: > Could you confirm my impression that the server vulnerability can only > overflow the buffer in 3 bytes? Yes, the buffer is overflowed just by those 3 bytes plus the Windows error message created with FormatMessage(). > Is there a way to exploit this for code execution, or would it > be limited to DoS?, Exactly, that's why I have identified it as a "limited" buffer-overflow. Limited just because the attacker has no control for executing malicious code, I use this strange term when the return address cannot be overwritten with the original bytes sent by the attacker. While I think that the buffer-overflow term is necessary because it's just what happens, although snprintf handles the attacker's input correctly. Anyway if someone has ideas for better and more exact terms I'm open to suggestions. > How could one control the result of the FormatMessage for any of those > two purpouses? As far as I know the attacker has no ways for changing or modifying the error message because it's handled by the operating system through GetLastError (retrieves the system error number) and FormatMessage (creates a text message for that specific system error). Oh last note, I have updated my advisory for this second bug [B] adding an important detail about the exploitation which I forgot yesterday: The only way I have found for exploiting this bug (moreover without authentication) is through the sending of a HTTP request with an URI of about 1024 bytes to the built-in webserver used for allowing the clients to download the Java viewer. The service runs on port 5800 and is enabled by default. BYEZ --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in [EMAIL PROTECTED] 1.0.1 viewer and server
###
Luigi Auriemma
Application: [EMAIL PROTECTED]
http://www.ultravnc.com
http://ultravnc.sourceforge.net
Versions: <= 1.0.1 (and current CVS)
(tabbed_viewer 1.29 is ever the same VNC viewer 1.0.1 and
so it's vulnerable too)
Platforms:Windows
Bugs: A] client Log::ReallyPrint buffer-overflow
B] server VNCLog::ReallyPrint limited buffer-overflow
Exploitation: A] remoto, versus client
B] remoto, versus server
Date: 04 Apr 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
[EMAIL PROTECTED] is a well known open source VNC server and viewer for Windows
very easy to use and configure.
###
===
2) Bugs
===
--
A] client Log::ReallyPrint buffer-overflow
--
During the login process a VNC client can receive three types of
replies from the server: connection failed, no authentication and
authentication required.
The first type of reply (rfbConnFailed) is followed by a text string
containing the reason of the disconnection.
Before visualizing this message [EMAIL PROTECTED] logs everything in the log
file using the vnclog.Print function which adopts a buffer of 1024
bytes (LINE_BUFFER_SIZE) for storing the text.
The result is that a malicious VNC server could be able to execute
malicious code versus a vulnerable [EMAIL PROTECTED] client which connects to
it.
>From vncviewer/Log.cpp:
void Log::ReallyPrint(LPTSTR format, va_list ap)
{
TCHAR line[LINE_BUFFER_SIZE];
_vstprintf(line, format, ap);
if (m_todebug) OutputDebugString(line);
if (m_toconsole) {
DWORD byteswritten;
WriteConsole(GetStdHandle(STD_OUTPUT_HANDLE), line,
_tcslen(line)*sizeof(TCHAR), &byteswritten, NULL);
};
if (m_tofile && (hlogfile != NULL)) {
DWORD byteswritten;
WriteFile(hlogfile, line, _tcslen(line)*sizeof(TCHAR), &byteswritten,
NULL);
}
}
-
B] server VNCLog::ReallyPrint limited buffer-overflow
-
The logging function used by the [EMAIL PROTECTED] server is affected by a
limited buffer-overflow caused by two strcat calls which add a Windows
error message to the output buffer.
Anyway there is an important detail about the exploitation of this bug.
The server is not vulnerable if the admin doesn't touch the "Log debug
infos to the WinVNC.log file" flag in the configuration, but when the
admin enables this option his server will be vulnerable forever
although he will re-disable it.
>From winvnc/winvnc/vnclog.cpp:
void VNCLog::ReallyPrint(const char* format, va_list ap)
{
time_t current = time(0);
if (current != m_lastLogTime) {
m_lastLogTime = current;
ReallyPrintLine(ctime(&m_lastLogTime));
}
// - Write the log message, safely, limiting the output buffer size
TCHAR line[LINE_BUFFER_SIZE];
TCHAR szErrorMsg[LINE_BUFFER_SIZE];
DWORD dwErrorCode = GetLastError();
SetLastError(0);
FormatMessage(
FORMAT_MESSAGE_FROM_SYSTEM, NULL, dwErrorCode,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),(char *)&szErrorMsg,
LINE_BUFFER_SIZE, NULL);
_vsnprintf(line, LINE_BUFFER_SIZE, format, ap);
strcat(line," --");
strcat(line,szErrorMsg);
ReallyPrintLine(line);
}
###
===
3) The Code
===
http://aluigi.altervista.org/poc/uvncbof.zip
###
==
4) Fix
==
A patch will be released in the next weeks.
###
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string in Doomsday 1.8.6
###
Luigi Auriemma
Application: Doomsday engine
http://www.doomsdayhq.com
http://deng.sourceforge.net
Versions: <= 1.8.6 (and current SVN 1.9.0)
Platforms:Windows, *nix, *BSD, Mac and others
Bug: format string bug in Con_Message and Con_Printf
Exploitation: remote, versus server and clients
Date: 03 Apr 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bug
3) The Code
4) Fix
###
===
1) Introduction
===
The Doomsday engine is an enhanced and well known open source port of
the original Doom engine and is also one of the most played on
Internet.
###
==
2) Bug
==
The Doomsday engine contains many functions used for the visualization
of the messages in the console.
Both Con_Message and conPrintf are vulnerable to a format string
vulnerability which could allow an attacker to execute malicious code
versus the server or the clients.
The first function calls a "Con_Printf(buffer)" while the second one
calls a "SW_Printf(prbuff)" if SW_IsActive is enabled (which means
ever).
>From Src/con_main.c:
void Con_Message(const char *message, ...)
{
va_list argptr;
char *buffer;
if(message[0])
{
buffer = malloc(0x1);
va_start(argptr, message);
vsprintf(buffer, message, argptr);
va_end(argptr);
#ifdef UNIX
if(!isDedicated)
{
// These messages are supposed to be visible in the
real console.
fprintf(stderr, "%s", buffer);
}
#endif
// These messages are always dumped. If consoleDump is set,
// Con_Printf() will dump the message for us.
if(!consoleDump)
printf("%s", buffer);
// Also print in the console.
Con_Printf(buffer);
free(buffer);
}
Con_DrawStartupScreen(true);
}
...
void conPrintf(int flags, const char *format, va_list args)
{
unsigned int i;
int lbc;// line buffer cursor
char *prbuff, *lbuf = malloc(maxLineLen + 1);
cbline_t *line;
if(flags & CBLF_RULER)
{
Con_AddRuler();
flags &= ~CBLF_RULER;
}
// Allocate a print buffer that will surely be enough (64Kb).
// FIXME: No need to allocate on EVERY printf call!
prbuff = malloc(65536);
// Format the message to prbuff.
vsprintf(prbuff, format, args);
if(consoleDump)
fprintf(outFile, "%s", prbuff);
if(SW_IsActive())
SW_Printf(prbuff);
...
###
===
3) The Code
===
Connect with telnet to port 13209 (default) of a DoomsDay server and
type:
JOIN 1234 %n%n%n%n%n%n
The server will crash immediately.
###
==
4) Fix
==
No fix.
No reply from the developers.
#######
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and in-game crash in Zdaemon 1.08.01
###
Luigi Auriemma
Application: Zdaemon
http://www.zdaemon.org
(and also X-Doom http://www.doom2.net/~xdoom/)
Versions: <= 1.08.01
Platforms:Windows and Linux
Bugs: A] buffer-overflow in is_client_wad_ok
B] Invalid memory access in ZD_MissingPlayer, ZD_UseItem
and ZD_LoadNewClientLevel/ZD_ValidClient
Exploitation: A] remote, versus server
B] remote, versus server (in-game)
Date: 31 Mar 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Zdaemon is the most played Doom engine on Internet with tons of servers
available online and many players.
X-Doom instead is an old server-only port focused on Linux/BSD and
is/was based on the latest Zdaemon source code which was available
before becoming closed source.
###
===
2) Bugs
===
--
A] buffer-overflow in is_client_wad_ok
--
When a client joins the match, the server checks if the wad files (the
maps) used on the client are the same it has.
So the client sends the name of each wad used on the server followed by
the local md5 hash of the file, the server gets the received filename
and copies it in a buffer of 256 bytes using strcpy().
The resulted buffer-overflow is limited by the my_strupr function which
converts all the chars in their capital case but during my tests with
GDB I was able to overwrite a return address with the original string
using a longer filename.
The attacker needs to know the right keyword if the server is protected
by password.
IP banning doesn't protect versus this attack because it's a subsequent
check and so an attacker can exploit any server on which he is banned.
>From server/src/w_wad.cpp (X-Doom / Zdaemon 1.06):
char *wad_check::is_client_wad_ok(const char *fname,const byte *csum)
{
int i;
chartemp[256];
static char errmsg[512];
strcpy(temp,plain_filename(fname));
my_strupr(temp);
if ( (i=find(fname)) < 0 )
{
sprintf(errmsg,"\nYou should not load \"%s\" on this
server.\nGet rid of it!\n",temp);
return errmsg;
}
...
B] Invalid memory access in ZD_MissingPlayer, ZD_UseItem and
ZD_LoadNewClientLevel/ZD_ValidClient
Zdaemon supports many commands for playing, like changing the player
name, chatting, moving, selecting weapons and so on... just like any
common multiplayer game.
The functions ZD_MissingPlayer, ZD_UseItem and ZD_ValidClient
(exploitable through ZD_LoadNewClientLevel) read an 8 bits number from
the client which is used to select a specific player slot or item and
then doing some operations.
The server uses 16 slots (MAXPLAYERS) and less than 40 items
(NUMARTIFACTS) so if an attacker uses an invalid number the server
crashes immediately after trying to access an invalid memory zone.
This is an in-game bug so must be respected all the requirements for
accessing the server (correct md5 hashes of the wads, password and no
banning) or it can't be exploited.
>From server/src/sv_main.cpp (X-Doom / Zdaemon 1.06):
void ZD_MissingPlayer(void)
{
int pnum = ZD_ReadByte(); // the player that our client
is missing
int cl = parse_cl;
player_t* player = &players[pnum];
if (!playeringame[pnum])
{
Printf("ZD_MissingPlayer: BIG PROBLEM!!\n");
return;
}
ZDOP.Init();
if (player->isbot)
...
void ZD_UseItem(void)
{
int which = ZD_ReadByte();
int i;
// None left!
if (players[parse_cl].inventory[which] <= 0)
...
static void ZD_LoadNewClientLevel(char *levelname, int i)
{
player_s*pli;
if (!ZD_ValidClient(i)) return;
...
bool ZD_ValidClient(int i)
{
return (playeringame[i] && !players[i].isbot);
}
###
===
3) The Code
===
A] http://aluigi.altervista.org/poc/zdaebof.zip
B] Add the following code at line 179 of my Zdaemon Fake Players DoS:
for(i = 0; i < 256; i++) {
p = buff;
*p++ = 0xff;
*p++ = cl_missingplayer;// cl_
[Full-disclosure] !ADVISORY! * -Thu Mar 16 14:26:51 EST 2006- * Local Privilege Escalation Vulnerability in Snort
!ADVISORY! * -Thu Mar 16 14:26:51 EST 2006- * Local Privilege Escalation Vulnerability in Snort == 1. History == 16/2/2006 - Vendor Reply. 16/3/2006 - Public Disclosure. == 2. Vendor Response == Snort had extended no identified explanation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in ENet library (Jul 2005)
###
Luigi Auriemma
Application: ENet library
http://enet.bespin.org
Versions: <= Jul 2005 (it's the current CVS version)
Platforms:Windows, *nix, *BSD and more
Bugs: A] invalid memory access (32 bit)
B] allocation abort with fragment
Exploitation: remote
Date: 12 Mar 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
ENet is a powerful open source library for handling UDP connections (it
can be defined almost a sort of TCP over UDP).
It's very used in some games and engines like Cube, Sauerbraten,
Duke3d_w32 and others.
###
===
2) Bugs
===
-
A] invalid memory access (32 bit)
-
ENet uses 32 bit numbers for almost all the parameters in its packets,
like fragments offset, data size, timestamps, challenge numbers and so
on.
Each packet received by the library (enet_host_service) is handled by
the enet_protocol_handle_incoming_commands function.
This function uses a pointer (currentData) which points to the current
command, each packet can contain one or more commands which describe
operations like a connection request, an acknowledge, a fragment, a
message and more.
The instruction which checks this pointer to avoid that it points over
the received packet can be eluded through a big (negative on 32 bit
CPU) header.commandLength parameter.
After having bypassed the check currentData will point to an invalid
zone of the memory and when the cycle will continue on the subsequent
command (commandCount must be major than one) the application will
crash.
64 bit CPUs should be not vulnerable.
>From enet_protocol_handle_incoming_commands in protocol.c:
...
currentData = host -> receivedData + sizeof (ENetProtocolHeader);
while (commandCount > 0 &&
currentData < & host -> receivedData [host -> receivedDataLength])
{
command = (ENetProtocol *) currentData;
if (currentData + sizeof (ENetProtocolCommandHeader) > & host ->
receivedData [host -> receivedDataLength])
return 0;
command -> header.commandLength = ENET_NET_TO_HOST_32 (command ->
header.commandLength);
if (currentData + command -> header.commandLength > & host ->
receivedData [host -> receivedDataLength])
return 0;
-- commandCount;
currentData += command -> header.commandLength;
...
-
B] allocation abort with fragment
-
ENet supports also the handling of fragments used to build the messages
bigger than the receiver's MTU.
When a fragment is received the library allocates the total message
size in memory so it can easily rebuild all the subsequent fragments in
this buffer.
If the total data size specified by the attacker cannot be allocated,
the library calls abort() and all the program terminates.
>From enet_protocol_handle_send_fragment in protocol.c:
...
startCommand = enet_peer_queue_incoming_command (peer,
& hostCommand,
enet_packet_create
(NULL, totalLength, ENET_PACKET_FLAG_RELIABLE),
fragmentCount);
###
===
3) The Code
===
http://aluigi.altervista.org/poc/enetx.zip
###
==
4) Fix
==
No fix.
No reply from the developers.
###
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Alien Arena 2006 GE 5.00
###
Luigi Auriemma
Application: Alien Arena 2006 Gold Edition
http://red.planetarena.org
Versions: <= 5.00
Platforms:Windows and Linux
Bugs: A] safe_cprintf server format string
B] Cmd_Say_f server buffer-overflow
C] Com_sprintf crash
Exploitation: A] remote, versus server (in-game)
B] remote, versus server (in-game)
C] remote, versus clients and server (in-game)
Date: 07 Mar 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Alien Arena 2006 GE is the latest release of the CodeRED series, an
open source game developed on an enhanced version (CRX engine) of the
GPLed Quake II engine.
The game supports both LAN and Internet multiplayer.
###
===
2) Bugs
===
All the bugs need to be exploited in-game so the attacker's IP must be
not banned and he must know the right keyword if the server is
protected by password.
I have found no ways to exploit them "externally".
A] safe_cprintf server format string
The safe_cprintf() function used by the server for sending messages to
the clients is affected by a format string vulnerability which could
allow the execution of malicious code.
After having built the output string the function passes it as format
argument (yes it's just like a double sprintf) to gi.cprintf() ->
"void PF_cprintf (edict_t *ent, int level, char *fmt, ...)".
>From games/acesrc/acebot_cmds.c:
void safe_cprintf (edict_t *ent, int printlevel, char *fmt, ...)
{
charbigbuffer[0x1];
va_list argptr;
int len;
if (ent && (!ent->inuse || ent->is_bot))
return;
va_start (argptr,fmt);
len = vsprintf (bigbuffer,fmt,argptr);
va_end (argptr);
gi.cprintf(ent, printlevel, bigbuffer);
}
---
B] Cmd_Say_f server buffer-overflow
---
The function Cmd_Say_f is used by the server for handling the text
messages received from the clients.
Cmd_Say_f uses a buffer of 2048 bytes in which puts the nickname of the
player who has sent the message using the secure (enough secure)
Com_sprintf() function followed by strcat() for appending the received
message.
These instructions allow an attacker to exploit the resulted
buffer-overflow for executing malicious code.
>From source/game/g_cmds.c:
void Cmd_Say_f (edict_t *ent, qboolean team, qboolean arg0)
{
int i, j;
edict_t *other;
char*p;
chartext[2048];
gclient_t *cl;
if (gi.argc () < 2 && !arg0)
return;
if ((!((int)(dmflags->value) & (DF_MODELTEAMS | DF_SKINTEAMS)))
|| (!ctf->value)) team = false;
if (team)
Com_sprintf (text, sizeof(text), "(%s): ",
ent->client->pers.netname); else
Com_sprintf (text, sizeof(text), "%s: ",
ent->client->pers.netname);
if (arg0)
{
strcat (text, gi.argv(0));
strcat (text, " ");
strcat (text, gi.args());
}
else
{
p = gi.args();
if (*p == '"')
{
p++;
p[strlen(p)-1] = 0;
}
strcat(text, p);
}
...
C] Com_sprintf crash
The Com_sprintf() function is a custom snprintf() replacement widely
used in the code.
The only problem of this function (usually bigbuffer is enough big so
doesn't represent a risk) is caused by the final strncpy() call which
is not followed by an instruction for delimiting dest with a NULL byte.
Often, depending by the system/compiler, this lack leads to a crash.
In my tests I were able to crash the precompiled Windows clients
without problems through a skin of about 110 chars (MAX_OSPATH is 128).
In fact one of the best ways for exploiting this bug is just using a
player with a long skin, weapon or model name so any client which is
inside or will join the server while the attacker is playing will be
crashed immediately.
In this case we can watch the exploitation in the function
CL_LoadClientinfo() located in client/cl_parse.c.
>From source/game/q_shared.c:
void Com_s
[Full-disclosure] Multiple vulnerabilities in Cube engine 2005_08_29
###
Luigi Auriemma
Application: Cube engine
http://www.cubeengine.com
Versions: <= 2005_08_29
Platforms:Windows, *nix, *BSD and MacOS
Bugs: A] sgetstr() buffer-overflow
B] invalid memory access
C] clients crash through invalid map
Exploitation: remote, versus both server and clients
Date: 06 Mar 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Cube is an interesting open source game and engine developed by Wouter
van Oortmerssen (http://strlen.com).
It supports both LAN and Internet multiplayer through its master
server.
###
===
2) Bugs
===
A] sgetstr() buffer-overflow
The game uses an unchecked function for reading the strings from the
incoming data.
The function is sgetstr() located in cube.h:
#define sgetstr() { char *t = text; do { *t = getint(p); } while(*t+
+); }
The problem, which affects both server and clients, is that this code
copies the input data over the text buffer of size MAXTRANS (5000 bytes)
allowing possible malicious code execution.
B] invalid memory access
sgetstr(), getint() and the instructions which call them don't check
the correct length of the input data.
In short is possible to force the server or the client to read over the
received data reaching unallocated zones of the memory and so crashing
immediately.
The biggest example in the Cube engine is the SV_EXT tag used in the
server where is read a 32 bits number from the input data and then is
performed a reading loop:
for(int n = getint(p); n; n--) getint(p);
C] clients crash through invalid map
In the Cube engine the players have the possibility to choose a
specific map on which playing, if there is only one player in the
server the map is changed immediately otherwise will be voted.
When a client tries to load an invalid map file it exits immediately
showing the "while reading map: header malformatted" error.
When the map is choosed all the clients add a .ogz extension to the
mapname received from the server and load the file.
The max size of the mapname is 260 bytes and the function which loads
the file uses a secure sprintf() which truncates the input mapname
(.ogz included) when the limit is reached.
Then the loading of the map is not sanitized versus possible directory
traversal exploitations so if an attacker (a player) specifies a
mapname of about 260 bytes he can force any client which will join the
server (due to the voting problem explained previously which limits the
exploitation of this bug) to load any file which is not a valid map and
so they will exit immediately.
As already said the exploitation happens with any new client which
joins the server since the new mapname will remain active in the server
for all the current match.
###
===
3) The Code
===
http://aluigi.altervista.org/poc/evilcube.zip
###
==
4) Fix
==
No fix.
The author says that the engine is no longer supported.
###
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Liero Xtreme 0.62b
### Luigi Auriemma Application: Liero Xtreme http://lieroxtreme.thegaminguniverse.com Versions: <= 0.62b Platforms:Windows Bugs: A] server crash/freeze B] format string in the visualization function Exploitation: A] remote, versus server B] local/remote, versus clients Date: 06 Mar 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Liero Xtreme (aka Lierox) is a freeware clone of the classic DOS game called Liero, and is mainly focused on the possibility of expanding and customizing the game through mods, levels and skins. Both LAN and Internet multiplayer (through the master server) are supported. ### === 2) Bugs === -- A] server crash/freeze -- The server can be easily crashed or freezed using a long string with the "connect" command. The problem is caused by the instructions used by the game for handling the data of this command which in some cases lead to the immediate crash of the server or a loop which freezes the game. -- B] format string in the visualization function -- The client's function which visualizes the messages on the screen (0x004052d0) is affected by a format string vulnerability which can be used to execute malicious code. Exist different ways for exploiting this bug but the most interesting are the following: - joining a server using a properly formatted nickname (like %n%n%n%n or %02000x) which will be visualized by all the clients currently in the server and all the others which will join when the attacker is playing. In this type of exploitaion if the server is protected by password the attacker must know the right keyword. - hosting a dedicated server visible on the master server (default) with a formatted name, so any client which will enter in the "Join Internet Server" menu will be exploited immediately. - creating a level file (.lxl extension) with a properly formatted mapname. Due to the leaning of the game for modding this exploitation is very good too. ### === 3) The Code === http://aluigi.altervista.org/poc/lieroxxx.zip For the bug B my proof-of-concept exploits only the first method I have explained, for the other two is enough to: - open the config\config.cfg file and add %03000x where is specified the server's name (Server.Name) and then launch the dedicated server - take the "userdata\levels\Dirt Level.lxl" file and overwrite the bytes at offset 36 with the string %03000x ### == 4) Fix == No fix. No reply from the developers. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Sauerbraten engine 2006_02_28
###
Luigi Auriemma
Application: Sauerbraten engine
http://sauerbraten.org
Versions: <= 2006_02_28 and current CVS
Platforms:Windows, *nix, *BSD and MacOS
Bugs: A] sgetstr() buffer-overflow
B] invalid memory access
C] clients crash through invalid map
D] crash through unconnected client
Exploitation: remote, versus both server and clients
Date: 06 Mar 2006
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
Sauerbraten is the evolution of the Cube engine
(http://www.cubeengine.com) developed by Wouter van Oortmerssen
(http://strlen.com), in fact can be defined also as "Next-Gen Cube" or
"Cube 2".
It supports both LAN and Internet multiplayer through its master
server.
###
===
2) Bugs
===
A] sgetstr() buffer-overflow
The game uses an unchecked function for reading the strings from the
incoming data.
The function is sgetstr() located in shared/cube.h:
#define sgetstr() { char *t = text; do { *t = getint(p); } while(*t+
+); }
The problem, which affects both server and clients, is that this code
copies the input data over the text buffer of size MAXTRANS (5000 bytes)
allowing possible malicious code execution.
B] invalid memory access
sgetstr(), getint() and the instructions which call them don't check
the correct length of the input data.
In short is possible to force the server or the client to read over the
received data reaching unallocated zones of the memory and so crashing
immediately.
C] clients crash through invalid map
In the Sauerbraten engine the players have the possibility to choose a
specific map on which playing, if there is only one player in the
server the map is changed immediately otherwise will be voted.
When a client tries to load an invalid map file it exits immediately
showing the "while reading map: header malformatted" error.
When the map is choosed all the clients add a .ogz extension to the
mapname received from the server and load the file.
The max size of the mapname is 260 bytes and the function which loads
the file uses a secure sprintf() which truncates the input mapname
(.ogz included) when the limit is reached.
Then the loading of the map is not sanitized versus possible directory
traversal exploitations so if an attacker (a player) specifies a
mapname of about 260 bytes he can force any client which will join the
server (due to the voting problem explained previously which limits the
exploitation of this bug) to load any file which is not a valid map and
so they will exit immediately.
As already said the exploitation happens with any new client which
joins the server since the new mapname will remain active in the server
for all the current match.
---
D] crash through unconnected client
---
A partially connected client can easily crash the Sauerbraten server.
This bug is caused by the following instruction in engine/server.cpp:
int num = ((client *)event.peer->data)->num;
In short when the connection times out the server tries to show the
host of the disconnected client ignoring that it has never joined.
The effect is the reading of an unallocated zone of the memory.
###
===
3) The Code
===
http://aluigi.altervista.org/poc/sauerburn.zip
###
==
4) Fix
==
The developers will release a fix, only for the buffer-overflow bug,
soon.
#######
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Out of memory crash in Freeciv 2.0.7
### Luigi Auriemma Application: Freeciv http://www.freeciv.org Versions: <= 2.0.7 Platforms:Windows, *nix, *BSD, MacOS and more Bug: bad memory allocation Exploitation: remote, versus server Date: 06 Mar 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Freeciv is an open source clone of the well known Civilization game. The game supports also online gaming through its own metaserver (which can be seen also on the web) and GGZ (http://www.ggzgamingzone.org). ### == 2) Bug == Freeciv supports both plain and compressed data (admins can disable this feature only recompiling the server from the source code with USE_COMPRESSION undefined). When the server receives a jumbo data (size set to 0x) it reads the subsequent 32 bits number which identifies the size of the compressed data. Then it makes a signed comparison to know if the compressed size is major than the data received, if the client uses a negative compressed size value it will be able to elude this check. After having substracted 6 bytes (header size) from this number the server tries to allocate the memory needed for decompressing the data which is fixed to 100 times this size. If the memory cannot be allocated the server terminates or freezes showing an out of memory message. ### === 3) The Code === http://aluigi.altervista.org/poc/freecivdos.zip ### == 4) Fix == Version 2.0.8 ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Soldier of Fortune II format string through PunkBuster 1.180
### Luigi Auriemma Application: Soldier of Fortune II with PunkBuster enabled http://www.ravensoft.com/soldier2.html http://www.PunkBuster.com Versions: PB for server <= 1.180 Platforms:Windows, Linux and Mac Bug: format string Exploitation: remote, versus server (in-game) Date: 16 Feb 2006 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === PunkBuster is a loved/hated anti-cheat system developed by Even Balance (http://www.evenbalance.com) and officially used in many diffused games like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3 and almost all the games based on the Quake 3 engine. Although the bug I have found has been exploited only in Soldier of Fortune II I cannot exclude other games which I have not tested personally (no reply from the vendor). ### == 2) Bug == The PunkBuster server module supports the automatic kick and ban of the players which use invalid cvars, for example with values outside the range specified by the server. When this situation occurs PB kicks the client using the game's functions (like a clientkick command). The message sent to the client contains both the name of the monitored cvar and its value on the client, the resulted string is identified as "reason". The problem is that naturally Soldier of Fortune II makes no checks on the "reason" parameter (watch trap_DropClient) which is passed by PB or by the server admin for kicking a player, so the subsequent sprintf() call is vulnerable to a format string attack. Normally there is no way to exploit this bug if you are not the server administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the way which allows any player inside the server to crash or possibly take the control of the remote system. ### === 3) The Code === - launch a client - join a server (naturally with PunkBuster enabled) - type /pb_cvarlist - choose one of the monitored cvars like "snaps" for example - type:/set CVAR %n%n%n%n%n%n example: /set snaps %n%n%n%n%n%n - the server will crash after some second during the kicking of the client ### == 4) Fix == Evenbalance has silently fixed the bug after my report but I have received no reply and there are no details on the PunkBuster website about this bug or what has been exactly patched. In the same day have been released also updated PB servers for other games. No comment... ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Socket termination in Battle Carry .005
### Luigi Auriemma Application: Battle Carry http://www.battlecarry.com Versions: <= .005 Platforms:Windows Bug: socket termination Exploitation: remote, versus server Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Battle Carry is a tank war game developed by AFSL Games (http://www.afslgames.com) and released in October 2005. ### == 2) Bug == A packet bigger than 8192 bytes causes a socket error in the Python code used to handle the server which immediately terminates the socket and interrupts the listening on the UDP port where has been received the packet. ### === 3) The Code === http://aluigi.altervista.org/poc/bcarrydos.zip ### == 4) Fix == No fix. Developers have been contacted but after the only mail I received I have no longer heard them so I don't know when and if a patch will be released. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and crash in FlatFrag 0.3
### Luigi Auriemma Application: FlatFrag http://www.tzi.de/~jfk/projects/flatfrag/ Versions: <= 0.3 Platforms:Windows, Linux and more Bugs: A] buffer-overflow B] NULL pointer crash Exploitation: remote, versus server Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === FlatFrag is an open source multiplayer tank game developed by Johannes Kuhlmann. ### === 2) Bugs === -- A] buffer-overflow -- The receiver() function in server/loop.c contains 3 buffer-overflow caused by the usage of strcpy() for copying the version, the name and the model sent by the client to 3 buffers of respectively 64, 32 and 32 bytes. - B] NULL pointer crash - When the server receives the NT_CONN_OK command from an unconnected client it calls net_on_receive(NULL, NULL) which is a function pointer that reads the data contained in the stream passed as second argument. The problem is just in the NULL pointers passed to the function which lead to the immediate crash of the server. ### === 3) The Code === http://aluigi.altervista.org/poc/flatfragz.zip ### == 4) Fix == No fix. The bugs will be patched in the next version. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and directory traversal in Asus Video Security 3.5.0.0
### Luigi Auriemma Application: Asus Video Security http://www.asus.com/products1.aspx?l1=2&share=icon/12 Versions: <= 3.5.0.0 (the version number is chaotic, this one seems the most recent but doesn't exist an official website with the latest updates and Asus didn't reply to me) Platforms:Windows Bugs: A] authorization buffer-overflow B] directory traversal Exploitation: remote Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Asus Video Security is a monitoring software bundled with Asus graphic cards. By default the built-in web server is disabled so these bugs can be exploited "only" if it has been manually activated. ### === 2) Bugs === A] authorization buffer-overflow Exists a buffer-overflow which happens during the handling of the decoded (base64) username:password string sent to a password protected ASUS Video Security web server. The server is not vulnerable if doesn't use authorization. -- B] directory traversal -- The built-in web server is also vulnerable to a classical directory traversal bug which allows an attacker to download any file in the disk where the program is installed. That's possible through the usage of the dot-dot-slash and backslash patterns (HTTP encoded chars are not allowed in the web server). If the server is protected with password the attacker must know the right keyword. ### === 3) The Code === http://aluigi.altervista.org/poc/asusvsbugs.zip ### == 4) Fix == No fix. No reply from the vendor. ####### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Limited directory traversal in NeroNET 1.2.0.2
### Luigi Auriemma Application: NeroNET http://www.nero.com Versions: <= 1.2.0.2 Platforms:Windows Bug: limited directory traversal Exploitation: remote Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === NeroNET is a web server which allows Nero users to use a CD/DVD burner remotely. ### == 2) Bug == The program is affected by a classical directory traversal bug which can be exploited by anyone since the directories used as base for the attack (www and status) are publics and do NOT require authorization. Both slash and backslash and the relative HTTP encoded chars are allowed. The limitation of this bug is that only some file extensions are allowed: nri, nrg, zip, dvi, rtf, ppt, pdf, mpe, mpeg, mpg, mov, qt, vob, avi, wav, mp3, bmp, tiff, tif, jpe, jpeg, jpg, gif, log, txt, sdp, css, js, html, htm The check made by NeroNET is only on the beginning of the extension so JSP or JSWHATYOUWANT are allowed extensions since JS is in the list. ### === 3) The Code === http://host/www/..%2f..%5c..//folder/file.txt ### == 4) Fix == No fix. No reply from the vendor. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in Glider collect'n kill 1.0.0.0
### Luigi Auriemma Application: Glider collect'n kill http://www.glider-game.com Versions: 1.0.0.0 Platforms:Windows Bug: buffer-overflow Exploitation: remote, versus server Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Glider collect'n kill is a high speed flight shooter developed by REVOgames (http://www.revogames.com) and released at October 2005. ### == 2) Bug == A buffer-overflow happens during the copying of the player name sent by the clients with the gl_playerEnter command in a buffer of about 4 kilobytes. ### === 3) The Code === http://aluigi.altervista.org/poc/gliderbof.zip ### == 4) Fix == No fix. No reply from the vendor. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Scorched 3D 39.1
### Luigi Auriemma Application: Scorched 3D http://www.scorched3d.co.uk Versions: <= 39.1 (bf) Platforms:Windows, Linux, MacOS, FreeBSD and Solaris Bugs: A] format string and buffer-overflow in addLine and SendString* B] server freeze through negative numplayers C] ComsMessageHandler buffer-overflow D] various crashes and possible code execution in Logger.cpp Exploitation: remote, versus server Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Scorched 3D is a great and well known open source multiplayer game inspired to the old classic Scorched Earth. ### === 2) Bugs === --- A] format string and buffer-overflow in addLine and SendString* --- The game is affected by many format string and buffer-overflow bugs which are "mainly" located in the GLConsole::addLine, all the ServerCommon::sendString* and ServerCommon::serverLog functions. All these functions use vsprintf with static buffers of various lengths (like 1024, 2048 and 1) and some of them are called from instructions that pass the user's input (like messages or commands and values) directly as format argument opening the server also to format string attacks. B] server freeze through negative numplayers Scorched 3D clients use a strange field called numplayers used for creating a specific number of players in the server (although the client is only one). The problem is in the usage of a negative numplayers value which first bypasses the (signed) check used in the code and then freezes the server that enters in an almost endless loop located in ServerConnectHandler.cpp: for (unsigned int i=0; ihttp://aluigi.altervista.org/poc/scorchbugs.zip ### == 4) Fix == No fix. No reply from the developers. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in GO-Global for Windows 3.1.0.3270
### Luigi Auriemma Application: GO-Global for Windows http://www.graphon.com/products/GO-GlobalforWindows.shtml Versions: <= 3.1.0.3270 Platforms:Server: Windows Clients: Windows, Solaris, HP-UX, IBM AIX and Linux Java version not vulnerable Bug: buffer-overflow Exploitation: remote, versus server and client Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === GO-Global for Windows is a server-based thin-client solution. It allows users to run 32-bit Windows applications remotely from a server, the application runs entirely on the server but is displayed on the client. ### == 2) Bug == After the initial handshake where is specified the type of encryption to use (_USERSA_), the application uses 16 bit fields for specifying the length of the subsequent data blocks. Both the client and the server use a small buffer which leads to a buffer-overflow if an attacker uses a data block longer than its size. Both server and clients are vulnerables. ### === 3) The Code === For testing the "GO-Global for Windows" server: http://aluigi.altervista.org/poc/ggwbof.zip For testing the "GO-Global for Windows" clients: http://aluigi.altervista.org/poc/ggwbofc.zip ### == 4) Fix == Version 3.1.0.3281 ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] F.E.A.R. 1.01 likes lithsock
F.E.A.R. (First Encounter Assault and Recon, http://www.whatisfear.com) is the recent FPS game developed by Monolith. I knew it was vulnerable from many months but I was really curious to see if the developers were so brave to leave this old "silent socket termination" bug unpatched not only in the retail game released in October but also in the 1.01 patch released just 4 days ago. The original advisory and proof-of-concept I released in the far December 2004 are available here: http://aluigi.altervista.org/adv/lithsock-adv.txt http://aluigi.altervista.org/poc/lithsock.zip --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and directory traversal bugs in Virtools Web Player 3.0.0.100
### Luigi Auriemma Application: Virtools Web Player and probably also other applications which can read the Virtools files but I can't test http://www.virtools.com Versions: <= 3.0.0.100 Platforms:Windows (seems also Mac is supported) Bugs: A] buffer-overflow B] directory traversal Exploitation: remote/local Date: 30 Sep 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Virtools is a set of applications for creating games, demos, CAD, simulations and other multimedia stuff. Virtools Web Player is the program which allows the usage of these creations from the net through its implementation in the web browser. ### === 2) Bugs === Other than the scripts the Virtools packages (for example those with extension VMO) contain also some additional files like mp3, wav, images and so on which are extracted in a temporary folder in the system temp directory like, for example, c:\windows\temp\VTmp26453 -- A] buffer-overflow -- Exists a buffer-overflow bug which happens during the handling of the names of the files contained in the Virtools packages. A filename of at least 262 bytes overwrites the EIP register allowing possible execution of malicious code. -- B] directory traversal -- As previously said the files are stored in a temporary directory and if already exist files with the same names they are fully overwritten. The problem here is that there are no checks on the filenames so the usage of the classical "..\" patterns allows an attacker to overwrite any file in the disk where is located the system temp folder (usually c:\). ### === 3) The Code === http://aluigi.altervista.org/poc/virtbugs.zip ### == 4) Fix == Version 3.0.0.101 ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Server crash and motd deletion in MultiTheftAuto 0.5 patch 1
###
Luigi Auriemma
Application: MultiTheftAuto
http://www.multitheftauto.com
Versions: <= 0.5 patch 1
Platforms:Windows, Linux, FreeBSD and OpenBSD
Bugs: A] anyone can modify the motd
B] Windows server crash
Exploitation: remote, versus server
Date: 25 Sep 2005
Author: Luigi Auriemma
e-mail: [EMAIL PROTECTED]
web:http://aluigi.altervista.org
###
1) Introduction
2) Bugs
3) The Code
4) Fix
###
===
1) Introduction
===
MultiTheftAuto (MTA) is a closed-source mod and server for the games
Grand Theft Auto III (http://www.rockstargames.com/grandtheftauto3/)
and Grand Theft Auto: Vice City
(http://www.rockstargames.com/vicecity/pc/) which adds multiplayer
capabilities to them.
###
===
2) Bugs
===
Both the following bugs are directly related but have been separated
since the effects change between the available versions for the
supported platforms:
-
A] anyone can modify the motd
-
The MTA server has the remote administration option enabled by default.
The problem is the existence of an undocumented command (number 40)
which allows the modification or the deletion of the content of the
motd.txt file used for the message of the day.
This is the only command which doesn't check if the client is an admin
so anyone without permissions has access to it.
---
B] Windows server crash
---
The command 40 is also the cause of another problem located in the same
function which seems incomplete or experimental as showed by the
following "retrieved" code:
// open file for writing "w"
length = *(u_int *)(src - (src % 4096));
for(i = j = 0; i < length; i++) {
if(src[i] == '\n') dst[j++] = '\r';
dst[j++] = src[i];
if(j < 1024) continue;
if(!WriteFile(...)) break;
j = 0;
}
// close file
length is -1 so the function starts an almost endless loop which stops
when the source buffer points to an unallocated zone of the memory.
The result is the immediate crash of the MTA server.
Seems that only the Windows server is affected by the crash because on
Linux the function is substituited with the following "still incorrect"
instruction which doesn't produce exceptions:
fd = fopen("motd.txt", "w");
fwrite(data + 4, 1, data, fd); // yes data is the buffer
fclose(fd);
###
===
3) The Code
===
http://aluigi.altervista.org/poc/mtaboom.zip
###
==
4) Fix
==
The developers have said that MTA is no longer supported.
###
---
Luigi Auriemma
http://aluigi.altervista.org
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in BFCommand & Control for Battlefield 1942 and Vietnam
### Luigi Auriemma Application: BFCommand & Control Server Manager http://www.bfcommandcontrol.org Versions: BFCC <= 1.22_A BFVCC <= 2.14_B BFVCCDaemon is NOT vulnerable Platforms:Windows Bugs: A] full anonymous login bypass B] login bypass through NULL username C] invulnerable clients and full privileges D] server full after consecutive connections Exploitation: remote Date: 29 Aug 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === BFCommand & Control Server Manager is a server manager available for the games Battlefield 1942 (with the name BFCC), Battlefield Vietnam (BFVCC) and Battlefield 2 (BF2CC). The difference between these server managers and the others available on Internet is that BFVCC is also directly included in the CD of Battlefield Vietnam so it's used on many servers. I have made a quick search on Internet and I have found that over the 20% of public Battlefield Vietnam servers uses one of the vulnerable versions of BFVCC on standard ports which, through these vulnerabilities, means full access to the management of these game servers and to other possible sensitive informations like the POP3 password of the admin. BFVCCDaemon is not vulnerable because it uses another protocol and in fact is considered a different program altogether. Then on Internet the amount of BFV servers which use BFVCCDaemon is almost unexistent. ### === 2) Bugs === -- A] full anonymous login bypass -- This bug can be explained with the following words: does not exist a login mechanism. In fact the "login" command is totally useless because anyone can connect to the server manager and take its control with full "Super Admin" privileges. The most interesting thing is that without logging into the server the attacker doesn't exist: the logs don't report his operations (except for a couple of commands if used) and for the server there are no people connected in that moment. Really a good way for controlling the server like a ghost and with the maximum relax and power. - B] login bypass through NULL username - The "login" command naturally is composed by an username and a password but the cool thing is that a NULL byte (0x00) in the username field will bypass the authentication and the server will grant the access to the attacker: "login" "\x1e" // command "\0""\x1e" // username (NULL byte) "none" "\x1e" // password "none" "\x1e" // username "" "\x1e" // ??? "" // ??? "\x00\x40\x40\x00" // command delimiter --- C] invulnerable clients and full privileges --- The admins (and moreover the local admin) have the ability of booting the other remote admins. The command "Boot" and any other command which has effect on the clients are totally useless since the server continues to keep the connection established and any operation or disconnection is made by the client not the server. In short a modified client (for example placing a NULL byte where is located the unicode command Boot in the executable) cannot be booted. Then each admin can be limited in what he can do or not by setting some permissions in the "User Profiles" section. Just like for the Boot command also the permissions are client-side so an admin with a very restricted power can take the full control of the server manager. D] server full after consecutive connections A sort of "fake players" attack with the difference that here after 20 consecutive connections (just a simple connect and disconnect) the server becomes full forever. In short if the client doesn't send the "login" command the server considers the connection in an idle state and when is reached the limit of 20 connections (although the connections and the sockets have been closed!) it becomes full and nobody can use the server manager
[Full-disclosure] Server crash in Ventrilo 2.3.0
### Luigi Auriemma Application: Ventrilo http://www.ventrilo.com Versions: <= 2.3.0 and >= 2.1.2 Platforms:Windows (x86), Linux (x86), Solaris (SPARC), Solaris (x86), FreeBSD (x86), NetBSD (x86) and Mac OSX (PPC) Bug: forced exit or crash caused by malformed status packet Exploitation: remote, versus server Date: 23 Aug 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Ventrilo is a widely known and used VoIP software developed by Flagship Industries. It is used moreover for the online gaming. ### == 2) Bug == Other than the TCP port used for accepting clients the Ventrilo server binds also the same UDP port for handling the status requests sent by the people to get informations and details. The problem is in the code that controls the status queries, in fact exists a check for the handling of possible malformed data which interrupts the server when is received a packet with an amount of data lower than how much specified in the header of the query. For example a normal status query (command 1 with 16 bytes of data reported in the status header) that doesn't contain data is able to exploit this vulnerability. In the log file of the Windows servers will be dumped the following message: ERROR: ServerLoop exception detected. Aborting. On other platforms (tested Linux x86) happens a crash in free(). Naturally is also possible to spoof the malformed packet for an anonymous exploiting of the bug. ### === 3) The Code === http://aluigi.altervista.org/poc/ventboom.zip ### == 4) Fix == No fix. On the vendor's website doesn't exist an e-mail address for reporting bugs (support, info and bugs are unexistent) and the forum requires registration so, probably, they don't want to be contacted... The bug can be avoided by setting a filter in the firewall which rejects the UDP packets versus the port bound by the status service (3784 by default, it's the same port used for accepting clients). ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in Chris Moneymaker's World Poker Championship 1.0
### Luigi Auriemma Application: Chris Moneymaker's World Poker Championship http://moneymakergaming.com Versions: 1.0 Platforms:Windows Bug: buffer-overflow Exploitation: remote, versus server Date: 17 Aug 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Chris Moneymaker's World Poker Championship is a poker game developed and published by Valusoft (http://www.valusoft.com) in April 2005. ### == 2) Bug == The game is affected by a buffer-overflow during the usage of sprintf() for the creation of the string "%s has joined the game." (where %s is replaced by the nickname passed by the client) with a destination buffer of 256 bytes. ### === 3) The Code === http://aluigi.altervista.org/poc/chmpokbof.zip ### == 4) Fix == The vendor has handled this security bug as a "normal" bug so no patch is planned. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Broadcast format string and buffer-overflow in Race Driver 1.20
### Luigi Auriemma Application: Race Driver http://www.codemasters.com/tocaracedriver/ Versions: <= 1.20 Platforms:Windows Bugs: A] broadcast format string B] broadcast buffer-overflow Exploitation: remote, versus any user in the public chat or through malformed server replies (broadcast) Date: 18 Jul 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Race Driver is a funny but poorly supported racing game developed and published by Codemasters (http://www.codemasters.com). It has been released in March 2003. ### == 2) Bug == Race Driver incorrectly uses sprintf() for building different types of text strings usually used for the visualization of the data. The places where this bad sprintf() can be exploited are at least 2: the public chat hosted on the encrypted IRC server peerchat.gamespy.com and the in-game server browser. The public chat is a place used by Race Driver while the users wait for a free server to join. The users automatically join it when they choose to play on Internet from the Network menu... it is an useless but forced stage. Other than the messages in the channel the game supports also the private messages (whispers) so an attacker can decide to attack a specific user or just all the users in the room. The in-game server browser instead is where are showed and ordered the online servers through the informations received in their replies. The sprintf() function is affected by two bugs: a format string and a buffer-overflow caused by text strings of 264 chars. ### === 3) The Code === For testing the bugs through the chat is enough to use the same game or an IRC client with a Peerchat proxy. The example chat messages (or also nicknames) for exploiting the bugs are the following: %n%n%n and RETA The raw names of the channels used by Race Driver are: #GPG!511 (the main), #GPG!510, #GPG!508, #GPG!507, #GPG!506, #GPG!509, #GPG!513, #GPG!512, #GPG!485, #GPG!486 and (for some milliseconds) #GSP!racedriver For testing the bugs through a malicious server you need only to host a game with the name %n%n%n. ### == 4) Fix == This game is no longer supported. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endless loop in NetPanzer 0.8
### Luigi Auriemma Application: NetPanzer http://netpanzer.berlios.de Versions: <= 0.8 Platforms:Windows, Linux and Mac Bugs: endless loop Exploitation: remote, versus server (and clients also if useless) Date: 13 Jul 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === NetPanzer is an open source multiplayer tactical game enough known and played. ### == 2) Bug == The network code doesn't verify the correctness of the 16 bit number containing the size of the entire data block received from the network. If an attacker sends the number 0x (the minimum should be 0x0002) the game enters in an endless loop and nobody can play. ### === 3) The Code === http://aluigi.altervista.org/poc/panzone.zip ### == 4) Fix == The SVN version of the game has been fixed: http://developer.berlios.de/svn/?group_id=1250 ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] In-game /ignore crash in Soldier of Fortune II 1.03
### Luigi Auriemma Application: Soldier of Fortune II http://sof2.ravensoft.com Versions: 1.02x and 1.03 Platforms:Windows, Linux and Mac Bug: bad memory access Exploitation: remote, versus server (in-game) Date: 29 Jun 2005 Author: unknown, found in the wild and reported to me by two admins Advisory: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Soldier of Fortune II is a widely played FPS game developed by Raven Software (http://www.ravensoft.com) and published by Activision (http://www.activision.com). It has been released at May 2002. ### == 2) Bug == The /ignore command is used for saying to the server that we (the client) don't want to receive the messages of a specific user. The command is followed by a number that identifies the ID of the client we want to ignore. This client ID is then used by the server for positioning into the g_entities array composed by 1024 entities so if we specify a big ID like 123456789 the server will crash immediately because it tries to access a zone of memory not allocated. This is an in-game bug so the bug cannot be exploited if the attacker is banned or the server is protected by a password not known by him. ### === 3) The Code === Join a server and from the game console (~ key) type: /ignore 123456789 ### == 4) Fix == The game is no longer supported so there is no official fix. The correct way for removing the problem is patching the bug into the latest SDK available for the game (1.02 + 1.03) and recompiling it. The patch consists in the adding of the following instruction in g_cmds.c after "ignoree = atoi( buffer );" at line 1962: if(ignoree > MAX_GENTITIES) return; It's enough to compile only the game folder (game.bat) and then zip the file vm\sof2mp_game.qvm in a new pk3 file like update_fix.pk3. Instead another and probably simplest way is just that of modifying the file vm\sof2mp_game.qvm removing the /ignore command. The easy step-by-step is explained here: http://aluigi.altervista.org/patches/q3lamefix.txt ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Crash in Stronghold 2 1.2
### Luigi Auriemma Application: Stronghold 2 http://www.stronghold2.com Versions: <= 1.2 Platforms:Windows Bug: exception/crash Exploitation: remote, versus server Date: 30 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Stronghold 2 is a stategic game developed by Firefly Studios (http://www.fireflyworlds.com) and published by 2K Games (http://www.2kgames.com). It has been released in April 2005. ### == 2) Bug == In the packet used for joining the server is locatd the client's nickname preceded by a 32 bit number used to specify its size. When the server receives the packet it reads this number and allocates that amount of memory where, then, will be copied the nickname. The problem is that the STLport library fails to allocate a too big amount of memory and generates an exception that terminates the game. ### === 3) The Code === http://aluigi.altervista.org/poc/strong2boom.zip ### == 4) Fix == No fix. No reply from the vendor. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow in C'Nedra 0.4.0
### Luigi Auriemma Application: C'Nedra http://www.cnedra.org Versions: <= 0.4.0 Platforms:Windows and Unix Bug: buffer-overflow in READ_TCP_STRING Exploitation: remote, versus server Date: 26 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === C'Nedra is an open source virtual reality framework for the creation of various worlds and applications. ### == 2) Bug == The network plugin is affected by a buffer-overflow in the function READ_TCP_STRING() located in game_message_functions.cpp and used to read the text strings received from the network. First it reads the 32 bit number that specifies the size of the text string and then copies it into a local buffer of only 100 bytes allowing an attacker to execute malicious code. ### === 3) The Code === http://aluigi.altervista.org/poc/cnedrabof.zip ### == 4) Fix == No fix. No reply from the developers. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Buffer-overflow and crash in Terminator 3: War of the Machines 1.16
### Luigi Auriemma Application: Terminator 3: War of the Machines http://www.atari.com/us/games/terminator_3_war/pc Versions: <= 1.16 Platforms:Windows Bugs: A] cd-key hash buffer-overflow B] big nickname access violation Exploitation: remote, versus server Date: 26 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Terminator 3: War of the Machines is a multiplayer FPS game developed by Clevers (http://www.clevers.com) and based on the homonym movie. It has been published by Atari (http://www.atari.com) in December 2003. ### === 2) Bugs === -- A] cd-key hash buffer-overflow -- The text field containing the client cd-key hash is the cause of a buffer-overflow that affects the server. Note: this is NOT the Gamespy cd-key SDK buffer-overflow. B] big nickname access violation If an attacker uses a too big nickname the server crashes for the access to an arbitrary zone of the memory. ### === 3) The Code === http://aluigi.altervista.org/poc/t3wmbof.zip ### == 4) Fix == No fix. The game is no longer supported. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Endless loop in Halo 1.06
### Luigi Auriemma Application: Halo: Combat Evolved http://www.microsoft.com/games/pc/halo.aspx Versions: <= 1.06 and Custom Edition 1.00 Platforms:Windows Bug: endless loop Exploitation: remote, versus server Date: 24 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Halo is the great FPS game developed by Bungie Studios and ported on PC by Gearbox Software (http://www.gearboxsoftware.com). It is published by Microsoft Games (http://www.microsoft.com/games/) and has been released at the end of 2003. ### == 2) Bug == The game is not able to handle the malformed data with the conseguence of entering in an endless loop that continues to check the same data. The effects are that the server freezes completely, so is no longer able to handle packets, and the CPU goes to 100%. ### === 3) The Code === http://aluigi.altervista.org/poc/haloloop.zip ### == 4) Fix == The upcoming version 1.07 should be released in these days, the bug has been reported to the developers exactly one month ago. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Format string and crash in Warrior Kings 1.3 and Battles 1.23
### Luigi Auriemma Application: Warrior Kings: Battles http://www.warriorkingsbattles.com Warrior Kings http://www.empireinteractive.com/games/product.asp?PID=CCD3E776-8DDB-4A4C-8A19-922D58804A24 Versions: Warrior Kings: Battles <= 1.23 Warrior Kings <= 1.3 Platforms:Windows Bugs: A] format string B] crash Exploitation: remote, versus server Date: 23 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Warrior Kings: Battles is a real-time strategy game developed by Black Cactus (http://www.blackcactus.co.uk) and released in March 2003. The game is published by Empire Interactive and Strategy First. Warrior Kings instead is published by Microids and Empire Interactive and has been released exactly one year before its successor. ### === 2) Bugs === A] format string The game is affected by a format string bug in the function used to visualize the text on the screen. The best and simplest way to exploit the bug is through a malformed nickname. The only limitation is that the attacker cannot exploit the bug if the server is locked. B] crash A partial join packet causes the crash of the server due to the access to a NULL pointer. Only Warrior Kings Battles seems affected by this problem. ### === 3) The Code === http://aluigi.altervista.org/poc/wkbbugs.zip http://aluigi.altervista.org/poc/warkingsfs.zip ### == 4) Fix == No fix. No reply from the vendor. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Crash in Zoidcom 1.0 beta 4
### Luigi Auriemma Application: Zoidcom http://www.zoidcom.com Versions: <= 1.0 beta 4 Platforms:Windows and Linux Bug: access to unallocated memory Exploitation: remote, versus server and clients Date: 10 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Zoidcom in an UDP network library developed by Jörg Rüppel. ### == 2) Bug == The first 4 bytes at the beginning of any UDP packet handled by this library specify the size of the packet data in bits. When a packet is received the library calls the ZCom_BitStream::Deserialize function that allocates a target buffer of the size specified in these 4 bytes and then copies all the subsequent part of the packet in it. If an attacker specifies a big amount of bits the Deserialize() function will try to read the unallocated memory located after the packet buffer or the library will exit immediately if the amount of bits is so big that the target buffer cannot be allocated. ### === 3) The Code === http://aluigi.altervista.org/poc/zoidboom.zip ### == 4) Fix == 1.0 beta 5 ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Gamespy cd-key validation system: Cd-key never in use
### Luigi Auriemma Application: Gamespy cd-key validation system http://www.gamespy.net Games:The amount of games that use this system is really huge, a small list (maintained by me) is available here: http://aluigi.altervista.org/papers/gshlist.txt An official list of games that use the Gamespy stuff (so not only the cd-keys) is available here: http://www.gamespy.net/partners/ Versions: the bug will be corrected on the master server, in the moment I'm writing the bug still exists Bug: players can use the same cd-key online at the same moment Exploitation: remote Date: 04 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) An example of real life 4) The Code 5) Fix ### === 1) Introduction === The Gamespy cd-key validation system is a toolkit used by a HUGE number of multiplayer games and is needed to allow the verification of the cd-keys used by the players when they want to join an online game server. Some of the most famous and played games that use this toolkit are Halo, Battlefield 1942 and Vietnam, Men of Valor, Painkiller, Star Wars Battlefront, Star Wars Republic Commando, Tribes: Vengeance and many others between those listed here: http://www.gamespy.net/partners/ ### == 2) Bug == The problem is very simple: two or more players can use the same valid cd-key at the same moment on different servers. Naturally this situation is avoided by default for the right reasons that anyone knows (playing online with pirated games for first). That is possible because exists a specific command (\disc\) used by the game servers to free the cd-key of the users that leave the match hosted by them. In fact when a player joins a server his cd-key becomes "in use" and nobody can use the same cd-key online at the same time. The \disc\ and \uoff\ commands plus the "no reply" are the mechanism used to free a cd-key in use and the game server is the only one to be able (and to have the right) to use it. The \disc\ command is transmitted in an UDP packet (like any other command) and contains the following parameters: \pid\ = the Gamespy PID, a number that identifies any multiplayer game \cd\ = the MD5 hash of the user's cd-key \ip\ = the IP address of the client The following section contains some details and a possible scenario for the usage of this flaw. ### == 3) An example of real life == Two friends have just bought the game Halo in a nice games shop in their town, finally they can kill the little Covenants on the Halo's ring. Each one has paid half of the full price (they are not rich but fortunately are friends and respect the work of the developers), and go quickly to their home for playing online with this nice game using the same valid cd-key. The first guy (X) joins a server without problems while the second (Y) receives a "Cd-key in use" error in any server he tries to join. Unfortunately Y didn't know this mechanism. But X knows that Halo uses the Gamespy cd-key validation system and knows also that this mechanism is affected by some implementation flaws so decide to definitely solve the problem of his friend. X creates a tool that automatically sends a spoofed \disc\ packet to the master server using the source IP and port of the server in which he joins . He can do it enough easily because he knows the PID of his game (793 for Halo) and naturally knows both his cd-key (or directly the MD5 hash) and his public IP address used by the server to authorize him. So when X joins a server, he sends a spoofed \disc\ command and his cd-key is no longer in use. Now Y can play on Internet in the same moment that X is online without problems and on any server. The only limitation is that they cannot play on the same server because it rejects the players with the same cd-key without the need of contacting the Gamespy master server. The problem is that if two friends can do that, the same can be made by 10, 100 or 1000 people and this is not a very good thing. Someone can say that this is already possible through the usage of modified servers but almost all the Internet servers are regulars and accept only the players with valid cd-keys. ### === 4) The Code ===
[Full-disclosure] Gamespy cd-key validation system: "Cd-key in use" DoS versus many games
### Luigi Auriemma Application: Gamespy cd-key validation system http://www.gamespy.net Games:The amount of games that use this system is really huge, a small list (maintained by me) is available here: http://aluigi.altervista.org/papers/gshlist.txt An official list of games that use the Gamespy stuff (so not only the cd-keys) is available here: http://www.gamespy.net/partners/ Versions: each game must implement the future fixed SDK with a patch, anyway is impossible for me to list all the vulnerable games versions (in this moment ALL) Bug: Denial of Service, players with valid cd-keys cannot play online due to the "Cd-key in use" error message Exploitation: remote, versus clients with valid cd-keys Date: 04 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug in short 3) Bug details 4) An example of real life 5) What an attacker needs 6) The Code 7) Fix ### === 1) Introduction === The Gamespy cd-key validation system is a toolkit used by a HUGE number of multiplayer games and is needed to allow the verification of the cd-keys used by the players when they want to join an online game server. Some of the most famous and played games that use this toolkit are Halo, Battlefield 1942 and Vietnam, Men of Valor, Painkiller, Star Wars Battlefront, Star Wars Republic Commando, Tribes: Vengeance and many others between those listed here: http://www.gamespy.net/partners/ ### === 2) Bug in short === An attacker can sniff all the valid cd-key authorizations sent from his server to the Gamespy master server when a player joins his match. These queries do NOT contain the plain-text cd-key but only some random text strings and the MD5 hashes needed to verify the original cd-key and the correctness of the packet. Then the attacker can send the same captured queries to the master server emulating what a common server does. This mechanism allows the real cd-key to be considered in use in the server of the attacker so when the real owner of the cd-key tries to play online its client is kicked from any game server he wants to join. Note that this implementation bug does NOT allow the attackers to stole or reuse the valid cd-keys but only to block them for all the time they want. ### == 3) Bug details == The Gamespy cd-key validation system is a server-side mechanism for verifying if the cd-keys used by the clients are valid or not. Server-side means that all the authorization is handled by the game server, it is the only one that contacts the master server. The part of the client in this mechanism is limited to the passing of its cd-key hash to the game server. With client is meant the game client so the users/gamers, with server is identified a game server hosted by any user while the master server is the central server owned by Gamespy that contains the archive of valid cd-keys and their MD5 hashes. I think these terms are well known by anyone but I prefer to be sure. The step-by-step for validating a cd-key through the Gamespy system is the following: - client joins the server - server generates a random text string and sends it to the client - client composes a string of 72 chars using also the string received from the server: http://aluigi.altervista.org/papers/gskey-auth.txt - server sends to the master server its string plus the response received from the client - the master server replies reporting if the client cd-key is valid or not (and why not) - if the valid cd-key has been previously authorized from another server the master server first tries to contact this one to know if the player with that cd-key is still playing (\ison\). If a negative (\uoff\) or no reply is received the cd-key is considered free and the new user is authorized The flaw is clear: what happens if the server that has authorized the cd-key for first continues to report that the player is playing on it forever? The answer is simple, the real player with the valid cd-key will be no longer able to play online because his cd-key is in use in that server. Creating this situation is very simple, a normal game server can capture the authorization requests it sends to the Gamespy master server when a player joins and then it can reuse the same identical requests forcing the real cd-keys to enter in t
[Full-disclosure] Clients format string and server crash in Mtp-Target 1.2.2
### Luigi Auriemma Application: Mtp-Target http://www.mtp-target.org Versions: <= 1.2.2 Platforms:Windows and Linux Bugs: A] clients format string B] server crash Exploitation: remote, versus both server and clients Date: 01 May 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Mtp-Target is a nice open source and multiplatform clone of the Monkey Target minigame and uses the NeL library (http://www.nevrax.org/tiki-index.php?page=NeL). ### === 2) Bugs === A] clients format string The clients of the game are affected by a format string during the visualization of the messages received from the other users or of any other text that appears in the upper console. With a single message an attacker is able to exploit all the clients connected to a server. --- B] server crash --- This bug is located in the NeL library but after some tests made by the NeL developers seems that only Mtp-Target is vulnerable (probably because the pre-compiled versions use an old version of the library, the mistery has not been solved). Anyway there is a signed comparison that verifies if the amount of memory to allocate (a parameter passed by the client) is major than 100 bytes. If an attacker passes a negative value the check is bypassed and the system tries to allocate this huge amount of memory through a call to STLport. The result is an exception that terminates the server. ### === 3) The Code === http://aluigi.altervista.org/poc/mtpbugs.zip ### == 4) Fix == No fix. I was in contact with the developers of this game (that have also a public game server) but I have no longer received replies from them, so don't have idea if and when a patch will be released. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Multiple vulnerabilities in Yager 5.24
### Luigi Auriemma Application: Yager http://www.yager-game.de Versions: <= 5.24 Platforms:Windows Bugs: A] nickname buffer-overflow B] data block buffer-overflow C] freeze caused by incomplete data block D] various crashes caused by corrupted data Exploitation: remote, versus server and clients Date: 14 Apr 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bugs 3) The Code 4) Fix ### === 1) Introduction === Yager is a futuristic air combat game developed by Yager Development (http://www.yager.de) and published by THQ (http://www.thq.de) and DreamCatcher Interactive (http://www.dreamcatchergames.com). It has been released in September 2003. Note: this game uses only LAN and direct IP multiplayer so doesn't exist a master server with the list of online servers (contrary to almost all the existent multiplayer games). ### === 2) Bugs === --- A] nickname buffer-overflow --- The game is affected by a buffer-overflow in the nickname field (ID 0x1e) that can allow an attacker to execute malicious code. - B] data block buffer-overflow - The buffer used to receive the data from the socket is 256 bytes long while the maximum size of the data block is 65536 (a 16 bit number) causing a buffer-overflow. - C] freeze caused by incomplete data block - The server and the clients connected to it can be easily freezed through the sending of incomplete data. The problem is that the game is synchronized with the receiving of the network data so it is blocked until all the expected data is received. For example, the header of the data blocks is 10 bytes long so if we send 9 or less bytes we are able to freeze the game. --- D] various crashes caused by corrupted data --- The game doesn't use enough checks to verify the correctness of the data received so is possible to cause various crashes through the usage of malformed data. ### === 3) The Code === http://aluigi.altervista.org/poc/yagerbof.zip ### == 4) Fix == No fix. A patch should be released soon. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] In-game server crash in Call of Duty 1.5b and United Offensive 1.51b
### Luigi Auriemma Applications: Call of Duty <= 1.5b Call of Duty: United Offensive <= 1.51b http://www.callofduty.com Platforms:Windows only (Linux is safe and Mac has not been tested) Bug: crash Exploitation: remote, versus server (in-game) Date: 02 Apr 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Call of Duty and its expansion pack United Offensive are the famous military FPS games developed by Infinity Ward (http://www.infinityward.com) and Gray Matter Studios (http://www.gmistudios.com). The games have been released respectively in October 2003 and September 2004. ### == 2) Bug == The game server is affected by a problem in the building of the commands to visualize the clients messages. If the message is too long and the generated command is longer than 1024 chars the server shows the dialog box of the exception handler with a warning about a possible buffer-overflow and naturally the match terminates. In reality the bug doesn't seem to be a real buffer-overflow but I have not deeply debugged the problem. This is an in-game bug so the attacker must have access to the server, if it's protected by password he must know the keyword and then his cd-key can be banned since CoD servers use the online authorization. ### === 3) The Code === - download the following file: http://aluigi.altervista.org/poc/codmsgboom.cfg - place it in the base folder of the game: main or uo - start a client and a server - join the server - go into the client console (~ key) - type: /exec codmsgboom - the server will crash showing an error ### == 4) Fix == No fix. Developers have not been contacted since already exists another unpatched bug from over one month (infostring overflow) and is more easy to exploit than this Windows-only problem where attackers can be banned and tracked. ####### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] In-game server buffer-overflow in Jedi Academy 1.011
### Luigi Auriemma Application: Star Wars Jedi Knight: Jedi Academy http://www.lucasarts.com/products/jediacademy/ Versions: <= 1.011 Platforms:Windows, Linux and Mac Bug: buffer-overflow during the visualization of big messages Exploitation: remote, versus server (in-game) Date: 02 Apr 2005 Author: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === Jedi Academy is a first person shooter that uses the Quake 3 engine, it's developed by Raven Software (http://www.ravensoft.com) and has been released in September 2003. ### == 2) Bug == The game is affected by a buffer-overflow in the visualization function called G_Printf(). This function uses a sprintf() with a local buffer of 1024 bytes where it stores the text to display in the console so if an attacker sends a big message (through the commands say and tell for example) the server calls G_Printf() for visualizing a string like the following example: say: NICKNAME: a...\n The result is that an attacker could execute malicious code on the victim server. The only limitation is that this is an in-game bug so the attacker must have access to the server, if it's protected by password he must know the keyword. ### === 3) The Code === - download the following file: http://aluigi.altervista.org/poc/jamsgbof.cfg - place it in the base folder of the game: GameData\base - start a client and a server - join the server - go into the client console (shift + ~) - type: /exec jamsgbof - the server will crash with the return address overwritten with 0x61616161 ### == 4) Fix == No fix. The game "should" be no longer supported. ### --- Luigi Auriemma http://aluigi.altervista.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] In-game players kicking in the Quake 3 engine
### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com Vulnerables: - Call of Duty <= 1.5 - Call of Duty: United Offensive <= 1.51 - Quake III Arena <= 1.32 - Return to Castle Wolfenstein<= 1.41 - Soldier of Fortune II: Double Helix <= 1.03 - Star Wars Jedi Knight II: Jedi Outcast <= 1.04 - Star Wars Jedi Knight: Jedi Academy <= 1.0.1.0 - Wolfenstein: Enemy Territory <= 1.02 / 2.56 ... possibly others "Seem" safe: - Medal of Honor: Allied Assault(no effects) - Medal of Honor: Breakthrough - Medal of Honor: Spearhead - Star Trek Voyager: Elite Force(attacker only) - Star Trek: Elite Force II (attacker crash only) - Wolfenstein: Enemy Territory 2.60 (patched) Platforms:Windows, Linux and Mac Bug: bad handling of big commands/messages Exploitation: remote, versus clients (in-game) Date: 02 Apr 2005 Author: unknown, the bug has been reported to me by an admin of the game Return of Castle Wolfenstein Advisory: Luigi Auriemma e-mail: [EMAIL PROTECTED] web:http://aluigi.altervista.org ### 1) Introduction 2) Bug 3) The Code 4) Fix ### === 1) Introduction === The Quake 3 engine is the well known game engine developed by ID Software (http://www.idsoftware.com) and is used by many games. ### == 2) Bug == This problem is enough known in the community of the Return to Castle Wolfenstein and Enemy Territory games from many time (over one year), and this second one is actually the only game to have an official patch released just some weeks ago. An interesting explanation of this bug and a method to fix it modifying the source code of the vulnerable games (SDK) is available here: http://bani.anime.net/banimod/forums/viewtopic.php?p=27322 In short the problem is in how the engine handles the commands longer than 1022 chars, in fact they are automatically truncated at that size and the rest of the chars is handled as network data confusing the engine. If an attacker joins a server and sends a too big message any client in the server will automatically disconnect showing the "CL_ParseServerMessage: Illegible server message" error. In some games or some of their older versions could happen also a server crash, that's not caused by this bug but by other problems explained in the following advisories: http://aluigi.altervista.org/adv/jamsgbof-adv.txt http://aluigi.altervista.org/adv/codmsgboom-adv.txt Only in Soldier of Fortune II happens a clients crash instead of the simple disconnection but the game supports only the vsay_team command and so only the players in the same team of the attacker will be crashed. The problem is in-game so the attacker must have access to the server, if it is protected by password and he doesn't know the keyword or his IP/guid has been banned he cannot exploit the bug. ### === 3) The Code === - download the following file: http://aluigi.altervista.org/poc/q3msgboom.cfg - place it in the base folder of your game (like baseq3, etmain, main, base and so on) - start a client and a server or, if possible, more clients to test better the effects of the bug - join the server - go into the console of a client (~ key or shift + ~) - type: /exec q3msgboom - any client in the server will disconnect immediately. If nothing happens or the vsay command is not supported, modify the q3msgboom.cfg file using other commands like say or vsay_team. Jedi Knight II needs that the script is executed some times before seeing the effects. ### == 4) Fix == Currently only Enemy Territory 2.60 is officially fixed. I have tried many times in these last weeks to find an universal way to fix the bug but I had no luck, in fact the method suggested by Banimod (http://bani.anime.net/banimod/forums/viewtopic.php?p=27322) is ok but requires the recompilation of the SDK (where available). Anyway the function to modify is located in the "game" code (the name of a specific portion of the engine) that some games have built as a DLL while others as a QVM file (harder to fix an
