| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun May 1 16:51:00 2005
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Clients format string and server crash in
Mtp-Target 1.2.2
#######################################################################
Luigi Auriemma
Application: Mtp-Target
http://www.mtp-target.org
Versions: <= 1.2.2
Platforms: Windows and Linux
Bugs: A] clients format string
B] server crash
Exploitation: remote, versus both server and clients
Date: 01 May 2005
Author: Luigi Auriemma
e-mail: aluigi@...istici.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Mtp-Target is a nice open source and multiplatform clone of the Monkey
Target minigame and uses the NeL library
(http://www.nevrax.org/tiki-index.php?page=NeL).
#######################################################################
=======
2) Bugs
=======
------------------------
A] clients format string
------------------------
The clients of the game are affected by a format string during the
visualization of the messages received from the other users or of any
other text that appears in the upper console.
With a single message an attacker is able to exploit all the clients
connected to a server.
---------------
B] server crash
---------------
This bug is located in the NeL library but after some tests made by the
NeL developers seems that only Mtp-Target is vulnerable (probably
because the pre-compiled versions use an old version of the library,
the mistery has not been solved).
Anyway there is a signed comparison that verifies if the amount of
memory to allocate (a parameter passed by the client) is major than
1000000 bytes. If an attacker passes a negative value the check is
bypassed and the system tries to allocate this huge amount of memory
through a call to STLport.
The result is an exception that terminates the server.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/mtpbugs.zip
#######################################################################
======
4) Fix
======
No fix.
I was in contact with the developers of this game (that have also a
public game server) but I have no longer received replies from them, so
don't have idea if and when a patch will be released.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists