lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051102204623.5c6a6312.aluigi@autistici.org>
Date: Wed Nov  2 19:45:54 2005
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Buffer-overflow and crash in FlatFrag 0.3


#######################################################################

                             Luigi Auriemma

Application:  FlatFrag
              http://www.tzi.de/~jfk/projects/flatfrag/
Versions:     <= 0.3
Platforms:    Windows, Linux and more
Bugs:         A] buffer-overflow
              B] NULL pointer crash
Exploitation: remote, versus server
Date:         02 Nov 2005
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


FlatFrag is an open source multiplayer tank game developed by Johannes
Kuhlmann.


#######################################################################

=======
2) Bugs
=======

------------------
A] buffer-overflow
------------------

The receiver() function in server/loop.c contains 3 buffer-overflow
caused by the usage of strcpy() for copying the version, the name and
the model sent by the client to 3 buffers of respectively 64, 32 and 32
bytes.


---------------------
B] NULL pointer crash
---------------------

When the server receives the NT_CONN_OK command from an unconnected
client it calls net_on_receive(NULL, NULL) which is a function pointer
that reads the data contained in the stream passed as second argument.
The problem is just in the NULL pointers passed to the function which
lead to the immediate crash of the server.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/flatfragz.zip


#######################################################################

======
4) Fix
======


No fix.
The bugs will be patched in the next version.


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ