lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Sun, 1 May 2005 17:54:24 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, red@...sec.de
Subject: Clients format string and server crash in
	Mtp-Target 1.2.2



#######################################################################

                             Luigi Auriemma

Application:  Mtp-Target
              http://www.mtp-target.org
Versions:     <= 1.2.2
Platforms:    Windows and Linux
Bugs:         A] clients format string
              B] server crash
Exploitation: remote, versus both server and clients
Date:         01 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Mtp-Target is a nice open source and multiplatform clone of the Monkey
Target minigame and uses the NeL library
(http://www.nevrax.org/tiki-index.php?page=NeL).


#######################################################################

=======
2) Bugs
=======

------------------------
A] clients format string
------------------------

The clients of the game are affected by a format string during the
visualization of the messages received from the other users or of any
other text that appears in the upper console.
With a single message an attacker is able to exploit all the clients
connected to a server.


---------------
B] server crash
---------------

This bug is located in the NeL library but after some tests made by the
NeL developers seems that only Mtp-Target is vulnerable (probably
because the pre-compiled versions use an old version of the library,
the mistery has not been solved).

Anyway there is a signed comparison that verifies if the amount of
memory to allocate (a parameter passed by the client) is major than
1000000 bytes. If an attacker passes a negative value the check is
bypassed and the system tries to allocate this huge amount of memory
through a call to STLport.
The result is an exception that terminates the server.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/mtpbugs.zip


#######################################################################

======
4) Fix
======


No fix.

I was in contact with the developers of this game (that have also a
public game server) but I have no longer received replies from them, so
don't have idea if and when a patch will be released.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists