lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050925170805.6f7d21ef.aluigi@autistici.org>
Date: Sun, 25 Sep 2005 17:08:05 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	vulnwatch@...nwatch.org
Subject: Server crash and motd deletion in MultiTheftAuto
	0.5 patch 1



#######################################################################

                             Luigi Auriemma

Application:  MultiTheftAuto
              http://www.multitheftauto.com
Versions:     <= 0.5 patch 1
Platforms:    Windows, Linux, FreeBSD and OpenBSD
Bugs:         A] anyone can modify the motd
              B] Windows server crash
Exploitation: remote, versus server
Date:         25 Sep 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


MultiTheftAuto (MTA) is a closed-source mod and server for the games
Grand Theft Auto III (http://www.rockstargames.com/grandtheftauto3/)
and Grand Theft Auto: Vice City
(http://www.rockstargames.com/vicecity/pc/) which adds multiplayer
capabilities to them.


#######################################################################

=======
2) Bugs
=======


Both the following bugs are directly related but have been separated
since the effects change between the available versions for the
supported platforms:

-----------------------------
A] anyone can modify the motd
-----------------------------

The MTA server has the remote administration option enabled by default.
The problem is the existence of an undocumented command (number 40)
which allows the modification or the deletion of the content of the
motd.txt file used for the message of the day.
This is the only command which doesn't check if the client is an admin
so anyone without permissions has access to it.


-----------------------
B] Windows server crash
-----------------------

The command 40 is also the cause of another problem located in the same
function which seems incomplete or experimental as showed by the
following "retrieved" code:

    // open file for writing "w"
    length = *(u_int *)(src - (src % 4096));
    for(i = j = 0; i < length; i++) {
        if(src[i] == '\n') dst[j++] = '\r';
        dst[j++] = src[i];
        if(j < 1024) continue;
        if(!WriteFile(...)) break;
        j = 0;
    }
    // close file

length is -1 so the function starts an almost endless loop which stops
when the source buffer points to an unallocated zone of the memory.
The result is the immediate crash of the MTA server.

Seems that only the Windows server is affected by the crash because on
Linux the function is substituited with the following "still incorrect"
instruction which doesn't produce exceptions:

    fd = fopen("motd.txt", "w");
    fwrite(data + 4, 1, data, fd);  // yes data is the buffer
    fclose(fd);


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/mtaboom.zip


#######################################################################

======
4) Fix
======


The developers have said that MTA is no longer supported.


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ