First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 191484
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Matt Fleming (RETIRED) <mjf@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 191484 depends on: Show dependency tree
Bug 191484 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-09-06 11:06 0000 
----------------------------------------
A] in-game format string in safe_bprintf
----------------------------------------

A format string vulnerability is located in the safe_bprintf function
caused by the usage of cprintf without the needed format argument.
The bug can be exploited in-game (so with the usual possible password
and banning limitations) using a malformed nickname:

from game/acesrc/acebot_cmds.c:

void safe_bprintf (int printlevel, char *fmt, ...)
{
    int i;
    char bigbuffer[0x10000];
    int len;
    va_list argptr;
    edict_t *cl_ent;

    va_start (argptr,fmt);
    len = vsprintf (bigbuffer,fmt,argptr);
    va_end (argptr);

    if (dedicated->value)
        gi.cprintf(NULL, printlevel, bigbuffer);

    for (i=0 ; i<maxclients->value ; i++)
    {
        cl_ent = g_edicts + 1 + i;
        if (!cl_ent->inuse || cl_ent->is_bot)
            continue;

        gi.cprintf(cl_ent, printlevel, bigbuffer);
    }
}

-------------------------------------------------------
B] clients disconnection through spoofed client_connect
-------------------------------------------------------

When queried the game server returns many informations included the
list of players which are currently playing and their IP addresses too.
Although the Quake 2 protocol isn't prone to spoofing attacks
(differently to what happens with Quake 3 and the disconnect packet)
here is possible to block and disconnect all the clients which are
playing on the server simply using the "client_connect" command.

So an attacker needs only to query the server, getting the list of
IP:port of the players and sending this command to them using the IP
and the port of the server as source.
The client will be no longer able to move or send commands in the
server and after some minutes it will time out, until this moment it
cannot rejoin the same server. 

======
4) Fix
======

No fix.
The developer has not been contacted because he is too stupid for
understanding a bug report:

  http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1

------- Comment #1 From Matt Fleming (RETIRED) 2007-09-06 11:10:01 0000 ------- 
CC'ing herd and setting whiteboard status.

------- Comment #2 From Robert Buchholz 2007-09-23 16:57:00 0000 ------- 
CVE assigned CVE-2007-4754 and CVE-2007-4755.
Games, please advise.

Nico Golde from Debian fixed this issue in [1], the patch is at [2].
[1] http://bugs.debian.org/442075
[2]
http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=20;filename=alien-arena_6.05-4_6.05-4.1.patch;att=1;bug=442075

------- Comment #3 From Tristan Heaven 2007-09-24 21:27:33 0000 ------- 
patched in alienarena-20070613-r1

------- Comment #4 From Sune Kloppenborg Jeppesen 2007-09-24 21:32:33 0000 ------- 
Thx Tristan. Closing with no GLSA.
First Last Prev Next    No search results available      Search page      Enter new bug