Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 72076 Details for
Bug 111421
games-strategy/scorched3d-39.1: Multiple Vulnerabilities
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory.txt
advisory.txt (text/plain), 6.91 KB, created by
Carsten Lohrke (RETIRED)
on 2005-11-03 15:39:27 UTC
(
hide
)
Description:
advisory.txt
Filename:
MIME Type:
Creator:
Carsten Lohrke (RETIRED)
Created:
2005-11-03 15:39:27 UTC
Size:
6.91 KB
patch
obsolete
>From aluigi@autistici.org Wed Nov 2 20:23:26 2005 >X-Auth-No: >Return-Path: <full-disclosure-bounces@lists.grok.org.uk> >Received: from lists.grok.org.uk not authenticated [195.184.125.51] > by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.6 $ on Linux; > Wed, 02 Nov 2005 12:23:27 -0700 >Received: from lists.grok.org.uk (localhost [127.0.0.1]) > by lists.grok.org.uk (Postfix) with ESMTP id 3ECD6DC0; > Wed, 2 Nov 2005 19:23:03 +0000 (GMT) >X-Original-To: full-disclosure@lists.grok.org.uk >Delivered-To: full-disclosure@lists.grok.org.uk >Received: from latitanza.investici.org (latitanza.investici.org > [82.94.249.234]) > by lists.grok.org.uk (Postfix) with ESMTP id D22CDBD6 > for <full-disclosure@lists.grok.org.uk>; > Wed, 2 Nov 2005 19:22:50 +0000 (GMT) >Received: from localhost (localhost [127.0.0.1]) > by latitanza.investici.org (Postfix) with ESMTP id 83C5A11800A; > Wed, 2 Nov 2005 20:22:50 +0100 (CET) >Received: from latitanza.investici.org ([127.0.0.1]) > by localhost (latitanza [127.0.0.1]) (amavisd-new, port 10024) > with SMTP id 08045-03; Wed, 2 Nov 2005 20:22:49 +0100 (CET) >Received: from localhost (localhost [127.0.0.1]) > (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) > (No client certificate requested) > by latitanza.investici.org (Postfix) with ESMTP id EC68D118006; > Wed, 2 Nov 2005 20:22:48 +0100 (CET) >Date: Wed, 2 Nov 2005 20:23:26 +0100 >From: Luigi Auriemma <aluigi@autistici.org> >To: bugtraq@securityfocus.com, > bugs@securitytracker.com, > news@securiteam.com, > full-disclosure@lists.grok.org.uk, > vuln@secunia.com >Message-Id: <20051102202326.5bdc9b72.aluigi@autistici.org> >Mime-Version: 1.0 >Content-Type: text/plain; > charset=US-ASCII >Content-Transfer-Encoding: 7bit >Cc: >Subject: [Full-disclosure] Multiple vulnerabilities in Scorched 3D 39.1 >X-BeenThere: full-disclosure@lists.grok.org.uk >X-Mailman-Version: 2.1.5 >Precedence: list >List-Id: An unmoderated mailing list for the discussion of security issues > <full-disclosure.lists.grok.org.uk> >List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, > <mailto:full-disclosure-request@lists.grok.org.uk?subject=unsubscribe> >List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure> >List-Post: <mailto:full-disclosure@lists.grok.org.uk> >List-Help: <mailto:full-disclosure-request@lists.grok.org.uk?subject=help> >List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, > <mailto:full-disclosure-request@lists.grok.org.uk?subject=subscribe> >Sender: full-disclosure-bounces@lists.grok.org.uk >Errors-To: full-disclosure-bounces@lists.grok.org.uk >Status: R >X-Status: NC >X-KMail-EncryptionState: >X-KMail-SignatureState: >X-KMail-MDN-Sent: > > >####################################################################### > > Luigi Auriemma > >Application: Scorched 3D > http://www.scorched3d.co.uk >Versions: <= 39.1 (bf) >Platforms: Windows, Linux, MacOS, FreeBSD and Solaris >Bugs: A] format string and buffer-overflow in addLine and > SendString* > B] server freeze through negative numplayers > C] ComsMessageHandler buffer-overflow > D] various crashes and possible code execution in > Logger.cpp >Exploitation: remote, versus server >Date: 02 Nov 2005 >Author: Luigi Auriemma > e-mail: aluigi@autistici.org > web: http://aluigi.altervista.org > > >####################################################################### > > >1) Introduction >2) Bugs >3) The Code >4) Fix > > >####################################################################### > >=============== >1) Introduction >=============== > > >Scorched 3D is a great and well known open source multiplayer game >inspired to the old classic Scorched Earth. > > >####################################################################### > >======= >2) Bugs >======= > >--------------------------------------------------------------- >A] format string and buffer-overflow in addLine and SendString* >--------------------------------------------------------------- > >The game is affected by many format string and buffer-overflow bugs >which are "mainly" located in the GLConsole::addLine, all the >ServerCommon::sendString* and ServerCommon::serverLog functions. >All these functions use vsprintf with static buffers of various lengths >(like 1024, 2048 and 10000) and some of them are called from >instructions that pass the user's input (like messages or commands and >values) directly as format argument opening the server also to format >string attacks. > > >-------------------------------------------- >B] server freeze through negative numplayers >-------------------------------------------- > >Scorched 3D clients use a strange field called numplayers used for >creating a specific number of players in the server (although the >client is only one). >The problem is in the usage of a negative numplayers value which first >bypasses the (signed) check used in the code and then freezes the >server that enters in an almost endless loop located in >ServerConnectHandler.cpp: > > for (unsigned int i=0; i<message.getNoPlayers(); i++) > { > addNextTank(destinationId, > ipAddress, > uniqueId.c_str(), > message.getHostDesc(), > false); > } > >If the server is protected with a password the attacker must know the >right keyword. > > >------------------------------------- >C] ComsMessageHandler buffer-overflow >------------------------------------- > >Exists a buffer-overflow in the creation of the following error >messages in ComsMessageHandler.cpp: > > char buffer[1024]; > sprintf(buffer, "Failed to find message type handler \"%s >\"", messageType.c_str()); >and > char buffer[1024]; > sprintf(buffer, "Failed to handle message type \"%s\"", > messageType.c_str()); > >For exploiting the bug is enough to use a command longer than the >buffer used by these instructions. > > >------------------------------------------------------------ >D] various crashes and possible code execution in Logger.cpp >------------------------------------------------------------ > >When an attacker uses some long values, like a big UniqueID, the server >crashes immediately. >The problem is located in some of the functions of Logger.cpp and seems >also possible to execute remote code. >In one of the ways I have found to exploit the bug is needed to know >the keyword of the server if uses a password, but could exist other >better ways to exploit the vulnerability. > > >####################################################################### > >=========== >3) The Code >=========== > > >http://aluigi.altervista.org/poc/scorchbugs.zip > > >####################################################################### > >====== >4) Fix >====== > > >No fix. >No reply from the developers. > > >####################################################################### > > >--- >Luigi Auriemma >http://aluigi.altervista.org >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 111421
: 72076