lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060306212828.2891edbf.aluigi@autistici.org>
Date: Mon Mar  6 20:29:31 2006
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Out of memory crash in Freeciv 2.0.7


#######################################################################

                             Luigi Auriemma

Application:  Freeciv
              http://www.freeciv.org
Versions:     <= 2.0.7
Platforms:    Windows, *nix, *BSD, MacOS and more
Bug:          bad memory allocation
Exploitation: remote, versus server
Date:         06 Mar 2006
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Freeciv is an open source clone of the well known Civilization game.
The game supports also online gaming through its own metaserver (which
can be seen also on the web) and GGZ (http://www.ggzgamingzone.org).


#######################################################################

======
2) Bug
======


Freeciv supports both plain and compressed data (admins can disable
this feature only recompiling the server from the source code with
USE_COMPRESSION undefined).
When the server receives a jumbo data (size set to 0xffff) it reads
the subsequent 32 bits number which identifies the size of the
compressed data.
Then it makes a signed comparison to know if the compressed size is
major than the data received, if the client uses a negative compressed
size value it will be able to elude this check.
After having substracted 6 bytes (header size) from this number the
server tries to allocate the memory needed for decompressing the data
which is fixed to 100 times this size.
If the memory cannot be allocated the server terminates or freezes
showing an out of memory message.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/freecivdos.zip


#######################################################################

======
4) Fix
======


Version 2.0.8


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ