lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050526174459.30a59ba3.aluigi@autistici.org>
Date: Thu, 26 May 2005 17:44:59 +0000
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, red@...sec.de
Subject: Buffer-overflow in C'Nedra 0.4.0



#######################################################################

                             Luigi Auriemma

Application:  C'Nedra
              http://www.cnedra.org
Versions:     <= 0.4.0
Platforms:    Windows and Unix
Bug:          buffer-overflow in READ_TCP_STRING
Exploitation: remote, versus server
Date:         26 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


C'Nedra is an open source virtual reality framework for the creation of
various worlds and applications.


#######################################################################

======
2) Bug
======


The network plugin is affected by a buffer-overflow in the function
READ_TCP_STRING() located in game_message_functions.cpp and used to
read the text strings received from the network.
First it reads the 32 bit number that specifies the size of the text
string and then copies it into a local buffer of only 100 bytes
allowing an attacker to execute malicious code.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/cnedrabof.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ