191484 – games-fps/alienarena Format String and DoS vulnerabilities (CVE-2007-475[45])

Bug 191484 - games-fps/alienarena Format String and DoS vulnerabilities (CVE-2007-475[45])

Summary: games-fps/alienarena Format String and DoS vulnerabilities (CVE-2007-475[45])

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High trivial
Assignee:	Gentoo Security

URL:	http://archives.neohapsis.com/archive...
Whiteboard:	~1 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-09-06 11:06 UTC by Matt Fleming (RETIRED)
Modified:	2007-09-24 21:32 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matt Fleming (RETIRED) gentoo-dev

2007-09-06 11:06:34 UTC

----------------------------------------
A] in-game format string in safe_bprintf
----------------------------------------

A format string vulnerability is located in the safe_bprintf function
caused by the usage of cprintf without the needed format argument.
The bug can be exploited in-game (so with the usual possible password
and banning limitations) using a malformed nickname:

from game/acesrc/acebot_cmds.c:

void safe_bprintf (int printlevel, char *fmt, ...)
{
    int i;
    char bigbuffer[0x10000];
    int len;
    va_list argptr;
    edict_t *cl_ent;

    va_start (argptr,fmt);
    len = vsprintf (bigbuffer,fmt,argptr);
    va_end (argptr);

    if (dedicated->value)
        gi.cprintf(NULL, printlevel, bigbuffer);

    for (i=0 ; i<maxclients->value ; i++)
    {
        cl_ent = g_edicts + 1 + i;
        if (!cl_ent->inuse || cl_ent->is_bot)
            continue;

        gi.cprintf(cl_ent, printlevel, bigbuffer);
    }
}

-------------------------------------------------------
B] clients disconnection through spoofed client_connect
-------------------------------------------------------

When queried the game server returns many informations included the
list of players which are currently playing and their IP addresses too.
Although the Quake 2 protocol isn't prone to spoofing attacks
(differently to what happens with Quake 3 and the disconnect packet)
here is possible to block and disconnect all the clients which are
playing on the server simply using the "client_connect" command.

So an attacker needs only to query the server, getting the list of
IP:port of the players and sending this command to them using the IP
and the port of the server as source.
The client will be no longer able to move or send commands in the
server and after some minutes it will time out, until this moment it
cannot rejoin the same server. 

======
4) Fix
======

No fix.
The developer has not been contacted because he is too stupid for
understanding a bug report:

  http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1

Comment 1 Matt Fleming (RETIRED) gentoo-dev

2007-09-06 11:10:01 UTC

CC'ing herd and setting whiteboard status.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2007-09-23 16:57:00 UTC

CVE assigned CVE-2007-4754 and CVE-2007-4755.
Games, please advise.

Nico Golde from Debian fixed this issue in [1], the patch is at [2].
[1] http://bugs.debian.org/442075
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=20;filename=alien-arena_6.05-4_6.05-4.1.patch;att=1;bug=442075

Comment 3 Tristan Heaven (RETIRED) gentoo-dev

2007-09-24 21:27:33 UTC

patched in alienarena-20070613-r1

Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-09-24 21:32:33 UTC

Thx Tristan. Closing with no GLSA.