Bug 39302

Summary:	games-strategy/scorched3d-36.2: format string crashes server and client
Product:	Gentoo Security	Reporter:	FieldySnuts <sgtphou>
Component:	GLSA Errors	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	critical	CC:	games
Priority:	High	Flags:	koon: Assigned_To? (koon)
Version:	unspecified
Hardware:	x86
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---
Attachments:	incomplete-bounds-checking.diff

Description FieldySnuts 2004-01-24 19:19:40 UTC

games-strategy/scorched3d-36.2 suffers from a format string problem that crashes   clients and servers. If this is used while playing standalone, the client will crash. If this is used while playing on a server, the server will crash, and all clients will be disconnected.

Bring up a chat box while in the game (T key), and type %n%n%n , and hit enter. You will see the above results.

This is gdb output from when the game was started as a server. Then I connected as a client, performed the above steps. Server crashed, and I did a backtrace:

Starting program: /usr/games/bin/scorched3d
(no debugging symbols found)...(no debugging symbols found)...[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 15861)]

(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...[New Thread 32769 (LWP 15900)]
[New Thread 16386 (LWP 15901)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15861)]
0x40873de8 in vfprintf () from /lib/libc.so.6
(gdb) backtrace
#0  0x40873de8 in vfprintf () from /lib/libc.so.6
#1  0x4088e23c in vsprintf () from /lib/libc.so.6
#2  0x0809302e in std::basic_string<char, std::char_traits<char>, std::allocator<char> > std::operator+<char, std::char_traits<char>, std::allocator<char> >(char const*, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#3  0x0815cce0 in wxBitmapButtonBase::SetLabel(wxString const&) ()
#4  0x0818a3b7 in wxMenuItemList::~wxMenuItemList() ()
#5  0x080eb683 in std::basic_string<char, std::char_traits<char>, std::allocator<char> > std::operator+<char, std::char_traits<char>, std::allocator<char> >(char const*, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#6  0x080ee7d0 in std::basic_string<char, std::char_traits<char>, std::allocator<char> > std::operator+<char, std::char_traits<char>, std::allocator<char> >(char const*, std::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) ()
#7  0x081859f8 in wxMenuItemList::~wxMenuItemList() ()
#8  0x4052188d in wxEvtHandler::SearchEventTable(wxEventTable&, wxEvent&) ()
   from /usr/lib/libwx_gtk-2.4.so
#9  0x405216b3 in wxEvtHandler::ProcessEvent(wxEvent&) ()
   from /usr/lib/libwx_gtk-2.4.so
#10 0x405d50db in wxTimerBase::Notify() () from /usr/lib/libwx_gtk-2.4.so
#11 0x404cc44d in timeout_callback () from /usr/lib/libwx_gtk-2.4.so
#12 0x40e03ecb in g_timeout_dispatch () from /usr/lib/libglib-1.2.so.0
#13 0x40e0462e in g_main_dispatch () from /usr/lib/libglib-1.2.so.0
#14 0x40e043eb in g_main_iterate () from /usr/lib/libglib-1.2.so.0
---Type <return> to continue, or q <return> to quit---
#15 0x40e03384 in g_main_run () from /usr/lib/libglib-1.2.so.0
#16 0x40cefbf7 in gtk_main () from /usr/lib/libgtk-1.2.so.0
#17 0x404786c9 in wxApp::MainLoop() () from /usr/lib/libwx_gtk-2.4.so
#18 0x404dbfa7 in wxAppBase::OnRun() () from /usr/lib/libwx_gtk-2.4.so
#19 0x40478edd in wxEntry(int, char**) () from /usr/lib/libwx_gtk-2.4.so
#20 0x08177791 in wxMenuItemList::~wxMenuItemList() ()
#21 0x4083f7a7 in __libc_start_main () from /lib/libc.so.6
#22 0x08055711 in ?? ()
(gdb) quit
The program is running.  Exit anyway? (y or n) y



Portage 2.0.49-r18 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1, 2.6.1)
=================================================================
System uname: 2.6.1 i686 AMD Athlon(TM) XP 1800+
Gentoo Base System version 1.4.3.10p1
distcc 2.12.1 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
ACCEPT_KEYWORDS="x86 ~x86"
AUTOCLEAN="yes"
CFLAGS="-fstack-protector -O2 -march=athlon-xp -fomit-frame-pointer -funroll-loops -fprefetch-loop-arrays -pipe -mmmx -msse -m3dnow -mfpmath=sse,387"
CHOST="i686-pc-linux-gnu"
COMPILER="gcc3"
CONFIG_PROTECT="/etc /usr/X11R6/lib/X11/xkb /usr/kde/2/share/config /usr/kde/3.1/share/config /usr/kde/3.2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
CXXFLAGS="-fstack-protector -O2 -march=athlon-xp -fomit-frame-pointer -funroll-loops -fprefetch-loop-arrays -pipe -mmmx -msse -m3dnow -mfpmath=sse,387"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs buildpkg ccache notitles sandbox"
GENTOO_MIRRORS="ftp://ftp.ussg.iu.edu/pub/linux/gentoo ftp://gentoo.noved.org/ http://mirror.tucdemonic.org/gentoo/ http://mirror.clarkson.edu/pub/distributions/gentoo/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="3dnow X aalib alsa apm avi berkdb cdr crypt cups dv encode foomaticdb gdbm gif gnome gpm gtk gtk2 imlib java jpeg kde ldap libg++ libwww mad mikmod mmx motif mozilla mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python qt quicktime readline sdl slang spell sse ssl svga tcltk tcpd tiff truetype x86 xml2 xmms xv zlib"

Comment 1 SpanKY gentoo-dev

2004-01-24 19:23:01 UTC

unless it's exploitable theres no need for security to be involved

is this known upstream ?

Comment 2 FieldySnuts 2004-01-24 19:31:26 UTC

I do not know if upstream is aware of this.

Also, I don't know if this accomplishes anything but I recompiled it with -fstack-protector in CFLAGS , which is supposed to turn on propolice in GCC. Game  runs fine, however still crashes as above. Perhaps this alieviates real security problems that may stem from this? Just guessing.

Comment 3 Tim Yamin (RETIRED) gentoo-dev

2004-01-25 02:31:51 UTC

I'm adding security back in because this is exploitable. Read paragraph 2, Mike, please...

Comment 4 SpanKY gentoo-dev

2004-01-25 02:35:39 UTC

i dont see anything anywhere that says 'exploitable' ...

DoS (crashing the server and punting the clients) is not GLSA worthy ...

so what am i missing ? :p

Comment 5 solar (RETIRED) gentoo-dev

2004-01-25 13:22:06 UTC

The %n is format string is what leads to heap overflows. There have been 
quite a number of papers published on this subject.

I've unpacked the scorched3d source and took a peek and I got to say 
there are quite a few potential attack vectors in it.

Code such as printf(foo); often indicates a bug, since foo may contain a 
% character.  If foo comes from untrusted user input, it may contain %n,
causing the printf call to write to memory and creating a security hole.

In theory sending a carefully crafted (perhaps udp) packet to somebody 
connected to a scorched3d server could cause remote clients to crash or even
execute arbitrary code.

Comment 6 solar (RETIRED) gentoo-dev

2004-01-25 13:29:52 UTC

Created attachment 24409 [details, diff]
incomplete-bounds-checking.diff

More auditing needs to be done.

untested and incomplete patch by itself. It's a start for anybody interested in
adding basic bounds checking.

Comment 7 SpanKY gentoo-dev

2004-01-26 14:37:25 UTC

i got a reply back from the author and he said he'll tackle it:

Thanks for the e-mail.  I will fix that, should be fairly easily done.
I should have thought of it really :).

I have also seen the patch on the link you sent, although snprintf would
be a good idea, there is no equivalent on windows.  This may not be so
easily done.

Comment 8 SpanKY gentoo-dev

2004-04-05 20:33:27 UTC

games-strategy/scorched3d-37 is in portage

a glsa can go out now

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2004-04-07 08:22:09 UTC

Changing product to GLSA

Comment 10 Thierry Carrez (RETIRED) gentoo-dev

2004-04-09 02:53:20 UTC

GLSA on its way

Comment 11 Kurt Lieber (RETIRED) gentoo-dev

2004-04-09 06:31:34 UTC

GLSA 200404-12