Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 144867 - games-puzzle/gtetrinet 0.7.9 remote code execution (CVE-2006-3125)
Summary: games-puzzle/gtetrinet 0.7.9 remote code execution (CVE-2006-3125)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: B1 [glsa] jaervosz
Depends on:
Reported: 2006-08-23 08:58 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2006-09-06 08:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-08-23 08:58:37 UTC
i incidentally found a bug in gtetrinet 0.7.9 which allows mallicius
tetrinet servers to inject code into a client. the problem lies in the
function tetrinet_inmessage (tetrinet.c line 174++):

733   case IN_LVL:
734        {
735            char *token;
736            int pnum;                        << signed int
737            token = strtok (data, " ");      << data from server
738            if (token == NULL) break;
739            pnum = atoi (token);
740            if (pnum >= MAX_PLAYERS)         << only check upper bound
741              break;
742            token = strtok (NULL, "");
743            if (token == NULL) break;
744            playerlevels[pnum] = atoi (token); << use pnum as index

so if the server sends negative pnum arbitary memory regions can be
overwritten (e.g. inject shellcode/overwrite GOT entry). this issue can
easily fixed by checkig the pnum for a negative value.

within this function there are several other instances where the pnum
isnt checked for negative values (IN_PLAYERJOIN, IN_PLAYERLEAVE, ...)
and is later used as an array index, and thus can be abused for
arbitrary  memory overwrites.

the attached code is (quick/rough) simple demonstration of this problem.
it behaves as tetrinet server, waits for incomming connections and
injects a simple write(1, "badcode")-shellcode to the client (there are
some hardocded offsets in the code so it will only work on the ubunbtu
6.06 package tough). however as it seems some tetrinet server dont do
any sanity checking on incomming messages, and just broadcast the to the
other clients, an client to client attack might also be possible.

        Michael Gehring
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 06:45:06 UTC
This one is public now.

games/gnome please advise.
Comment 2 Mr. Bones. (RETIRED) gentoo-dev 2006-09-05 09:13:16 UTC
0.7.9 isn't in portage.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-05 10:41:50 UTC
Thx Mr. Bones, I didn't notice it was bumped a few days ago.

This one is ready for GLSA.
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-09-06 08:41:42 UTC
GLSA 200609-02

Remailed to FD due to DNS failure.