lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060423210327.2dbab5f2.aluigi@autistici.org>
Date: Sun Apr 23 20:00:40 2006
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Format string bug in Skulltag 0.96f


#######################################################################

                             Luigi Auriemma

Application:  Skulltag
              http://www.skulltag.com
Versions:     <= 0.96f
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server
Date:         23 Apr 2006
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Skulltag is a well known and supported Doom engine mainly based on
Zdoom and focused on online gaming.
Unfortunately it's released as closed source although it uses open
source code.


#######################################################################

======
2) Bug
======


The server is affected by a format string vulnerability exploitable
when a client passes a wrong version string.
The following are the bugged instructions in the 0.96f executable:

* Reference To: MSVCRT.sprintf, Ord:02B2h
                                  |
:004DCCC3 8B3D30415900            mov edi, dword ptr [00594130]
:004DCCC9 8D4C2424                lea ecx, dword ptr [esp+24]
:004DCCCD 50                      push eax      ; client's version
:004DCCCE 51                      push ecx      ; buffer
:004DCCCF FFD7                    call edi      ; sprintf()

traduced in:

  sprintf(buffer, version_sent_by_the_client);

The exploitation happens "outside" the server so there are no banning
and password limitations for the attacker.
The only so called obstacle happens when the server is full because it
can't be attacked during this (rare) state.
A note about the possible code execution, the subsequent instructions
use the strupr function which converts almost all the chars in the
string to upper cases.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/skulltagfs.zip


#######################################################################

======
4) Fix
======


The developer has been contacted and has fixed the bug only in his
private development version which will be released probably this
summer.
So there is no fix available.

Fortunately the bug is enough simple to fix so I have created an
unofficial patch which adds the argument "%s" to sprintf.
This solution is enough since is not possible to overflow the buffer
(so no need of snprintf or "%.*s"):

  http://aluigi.altervista.org/patches/skulltagfs-fix.zip


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ