lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060512232621.97cc7854.aluigi@autistici.org>
Date: Fri May 12 22:23:18 2006
From: aluigi at autistici.org (Luigi Auriemma)
Subject: Buffer-overflow and NULL pointer crash in Genecys
	0.2


#######################################################################

                             Luigi Auriemma

Application:  Genecys
              http://www.genecys.org
Versions:     <= 0.2 and current CVS
Platforms:    *nix and *BSD
Bugs:         A] tell_player_surr_changes buffer-overflow
              B] parse_command NULL pointer crash
Exploitation: remote, versus server
Date:         12 May 2006
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Genecys is an open source MMORPG project.


#######################################################################

=======
2) Bugs
=======

-------------------------------------------
A] tell_player_surr_changes buffer-overflow
-------------------------------------------

The function tell_player_surr_changes is affected by a buffer-overflow
which could allow an attacker to execute malicious code.
The problem is caused by the usage of sprintf and strcat on buffers of
256 bytes.

>From server/player.c:

int tell_player_surr_changes(event_t *event)
{
    pl_known_t *known, *knext;
    object_t *obj;
    char buf[256], buf2[256],b2[40];

    obj = event->initiator;

    for (known=TAILQ_FIRST(&obj->pl->known); known != NULL; known = knext) {
	knext = TAILQ_NEXT(known, next);
	if (!event->action)
	    known->lu--;
	if (known->bits > 0) {
	    sprintf(buf, "chob id:%s", uid_sprint(b2, &known->uid));
	    if (known->bits & PLKN_NROF) {
		sprintf(buf2, " nrof:%d", known->nrof);
		strcat(buf, buf2);
	    }
	    if (known->bits & PLKN_STATE) {
		sprintf(buf2, " st:%d", known->state);
		strcat(buf, buf2);
	    }
	    if (known->bits & PLKN_NAME) {
		sprintf(buf2, " nm:\"%s\"", known->name);
		strcat(buf, buf2);
	    }
	    if (known->bits & PLKN_NAMEPL) {
		sprintf(buf2, " nmp:\"%s\"", known->name_pl);
		strcat(buf, buf2);
	    }
	    if (known->bits & PLKN_MODEL) {
		sprintf(buf2, " mdl:\"%s\"", known->model);
		strcat(buf, buf2);
	    }
        ...

Note: has not been possible to test this bug in practice due to some
problems while running my test server.


-----------------------------------
B] parse_command NULL pointer crash
-----------------------------------

The function which parses the commands sent by the client doesn't check
the return value of a strchr call used for parsing the commands and
their values (CMD:VAL).
If the attacker doesn't use the ':' char the server will crash due to
the access to a NULL pointer.

>From common/netparser.c:

pargs_t *parse_command(char **words, int *command, int count)
{
    argtable_t *asp, dummy;
    char *cp, *tmp, *p;
    size_t span;
    ...
    args = safer_malloc(sizeof(pargs_t)*numargs);
    cur = 0;
    for (i=1; i < count && words[i] != NULL && *words[i]; i++) {
	span = strcspn(words[i], ":");
        tmp = strchr(words[i], ':');
        tmp++;
        ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genecysbof.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers... the game seems no longer supported.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ