From aluigi@autistici.org Wed Nov  2 20:23:26 2005
X-Auth-No: 
Return-Path: <full-disclosure-bounces@lists.grok.org.uk>
Received: from lists.grok.org.uk not authenticated [195.184.125.51]
	by smtp-send.myrealbox.com with NetMail SMTP Agent $Revision: 1.6 $ on Linux;
	Wed, 02 Nov 2005 12:23:27 -0700
Received: from lists.grok.org.uk (localhost [127.0.0.1])
	by lists.grok.org.uk (Postfix) with ESMTP id 3ECD6DC0;
	Wed,  2 Nov 2005 19:23:03 +0000 (GMT)
X-Original-To: full-disclosure@lists.grok.org.uk
Delivered-To: full-disclosure@lists.grok.org.uk
Received: from latitanza.investici.org (latitanza.investici.org
	[82.94.249.234])
	by lists.grok.org.uk (Postfix) with ESMTP id D22CDBD6
	for <full-disclosure@lists.grok.org.uk>;
	Wed,  2 Nov 2005 19:22:50 +0000 (GMT)
Received: from localhost (localhost [127.0.0.1])
	by latitanza.investici.org (Postfix) with ESMTP id 83C5A11800A;
	Wed,  2 Nov 2005 20:22:50 +0100 (CET)
Received: from latitanza.investici.org ([127.0.0.1])
	by localhost (latitanza [127.0.0.1]) (amavisd-new, port 10024)
	with SMTP id 08045-03; Wed, 2 Nov 2005 20:22:49 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by latitanza.investici.org (Postfix) with ESMTP id EC68D118006;
	Wed,  2 Nov 2005 20:22:48 +0100 (CET)
Date: Wed, 2 Nov 2005 20:23:26 +0100
From: Luigi Auriemma <aluigi@autistici.org>
To: bugtraq@securityfocus.com,
 bugs@securitytracker.com,
 news@securiteam.com,
 full-disclosure@lists.grok.org.uk,
 vuln@secunia.com
Message-Id: <20051102202326.5bdc9b72.aluigi@autistici.org>
Mime-Version: 1.0
Content-Type: text/plain;
  charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: 
Subject: [Full-disclosure] Multiple vulnerabilities in Scorched 3D 39.1
X-BeenThere: full-disclosure@lists.grok.org.uk
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: An unmoderated mailing list for the discussion of security issues
	<full-disclosure.lists.grok.org.uk>
List-Unsubscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
	<mailto:full-disclosure-request@lists.grok.org.uk?subject=unsubscribe>
List-Archive: <http://lists.grok.org.uk/pipermail/full-disclosure>
List-Post: <mailto:full-disclosure@lists.grok.org.uk>
List-Help: <mailto:full-disclosure-request@lists.grok.org.uk?subject=help>
List-Subscribe: <https://lists.grok.org.uk/mailman/listinfo/full-disclosure>, 
	<mailto:full-disclosure-request@lists.grok.org.uk?subject=subscribe>
Sender: full-disclosure-bounces@lists.grok.org.uk
Errors-To: full-disclosure-bounces@lists.grok.org.uk
Status: R
X-Status: NC
X-KMail-EncryptionState:  
X-KMail-SignatureState:  
X-KMail-MDN-Sent:  


#######################################################################

                             Luigi Auriemma

Application:  Scorched 3D
              http://www.scorched3d.co.uk
Versions:     <= 39.1 (bf)
Platforms:    Windows, Linux, MacOS, FreeBSD and Solaris
Bugs:         A] format string and buffer-overflow in addLine and
                 SendString*
              B] server freeze through negative numplayers
              C] ComsMessageHandler buffer-overflow
              D] various crashes and possible code execution in
                 Logger.cpp
Exploitation: remote, versus server
Date:         02 Nov 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Scorched 3D is a great and well known open source multiplayer game
inspired to the old classic Scorched Earth.


#######################################################################

=======
2) Bugs
=======

---------------------------------------------------------------
A] format string and buffer-overflow in addLine and SendString*
---------------------------------------------------------------

The game is affected by many format string and buffer-overflow bugs
which are "mainly" located in the GLConsole::addLine, all the
ServerCommon::sendString* and ServerCommon::serverLog functions.
All these functions use vsprintf with static buffers of various lengths
(like 1024, 2048 and 10000) and some of them are called from
instructions that pass the user's input (like messages or commands and
values) directly as format argument opening the server also to format
string attacks.


--------------------------------------------
B] server freeze through negative numplayers
--------------------------------------------

Scorched 3D clients use a strange field called numplayers used for
creating a specific number of players in the server (although the
client is only one).
The problem is in the usage of a negative numplayers value which first
bypasses the (signed) check used in the code and then freezes the
server that enters in an almost endless loop located in
ServerConnectHandler.cpp:

	for (unsigned int i=0; i<message.getNoPlayers(); i++)
	{
		addNextTank(destinationId,
			ipAddress,	
			uniqueId.c_str(),
			message.getHostDesc(),
			false);
	}

If the server is protected with a password the attacker must know the
right keyword.


-------------------------------------
C] ComsMessageHandler buffer-overflow
-------------------------------------

Exists a buffer-overflow in the creation of the following error
messages in ComsMessageHandler.cpp:

		char buffer[1024];
		sprintf(buffer, "Failed to find message type handler \"%s
\"", messageType.c_str());
and
		char buffer[1024];
		sprintf(buffer, "Failed to handle message type \"%s\"",
			messageType.c_str());

For exploiting the bug is enough to use a command longer than the
buffer used by these instructions.


------------------------------------------------------------
D] various crashes and possible code execution in Logger.cpp
------------------------------------------------------------

When an attacker uses some long values, like a big UniqueID, the server
crashes immediately.
The problem is located in some of the functions of Logger.cpp and seems
also possible to execute remote code.
In one of the ways I have found to exploit the bug is needed to know
the keyword of the server if uses a password, but could exist other
better ways to exploit the vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/scorchbugs.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/