lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Nov 2005 20:23:26 +0100
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com
Subject: Multiple vulnerabilities in Scorched 3D 39.1



#######################################################################

                             Luigi Auriemma

Application:  Scorched 3D
              http://www.scorched3d.co.uk
Versions:     <= 39.1 (bf)
Platforms:    Windows, Linux, MacOS, FreeBSD and Solaris
Bugs:         A] format string and buffer-overflow in addLine and
                 SendString*
              B] server freeze through negative numplayers
              C] ComsMessageHandler buffer-overflow
              D] various crashes and possible code execution in
                 Logger.cpp
Exploitation: remote, versus server
Date:         02 Nov 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Scorched 3D is a great and well known open source multiplayer game
inspired to the old classic Scorched Earth.


#######################################################################

=======
2) Bugs
=======

---------------------------------------------------------------
A] format string and buffer-overflow in addLine and SendString*
---------------------------------------------------------------

The game is affected by many format string and buffer-overflow bugs
which are "mainly" located in the GLConsole::addLine, all the
ServerCommon::sendString* and ServerCommon::serverLog functions.
All these functions use vsprintf with static buffers of various lengths
(like 1024, 2048 and 10000) and some of them are called from
instructions that pass the user's input (like messages or commands and
values) directly as format argument opening the server also to format
string attacks.


--------------------------------------------
B] server freeze through negative numplayers
--------------------------------------------

Scorched 3D clients use a strange field called numplayers used for
creating a specific number of players in the server (although the
client is only one).
The problem is in the usage of a negative numplayers value which first
bypasses the (signed) check used in the code and then freezes the
server that enters in an almost endless loop located in
ServerConnectHandler.cpp:

	for (unsigned int i=0; i<message.getNoPlayers(); i++)
	{
		addNextTank(destinationId,
			ipAddress,	
			uniqueId.c_str(),
			message.getHostDesc(),
			false);
	}

If the server is protected with a password the attacker must know the
right keyword.


-------------------------------------
C] ComsMessageHandler buffer-overflow
-------------------------------------

Exists a buffer-overflow in the creation of the following error
messages in ComsMessageHandler.cpp:

		char buffer[1024];
		sprintf(buffer, "Failed to find message type handler \"%s
\"", messageType.c_str());
and
		char buffer[1024];
		sprintf(buffer, "Failed to handle message type \"%s\"",
			messageType.c_str());

For exploiting the bug is enough to use a command longer than the
buffer used by these instructions.


------------------------------------------------------------
D] various crashes and possible code execution in Logger.cpp
------------------------------------------------------------

When an attacker uses some long values, like a big UniqueID, the server
crashes immediately.
The problem is located in some of the functions of Logger.cpp and seems
also possible to execute remote code.
In one of the ways I have found to exploit the bug is needed to know
the keyword of the server if uses a password, but could exist other
better ways to exploit the vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/scorchbugs.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists