Multiple vulnerabilities in Scorched 3D 39.1
#######################################################################
Luigi Auriemma
Application: Scorched 3D
http://www.scorched3d.co.uk
Versions: <= 39.1 (bf)
Platforms: Windows, Linux, MacOS, FreeBSD and Solaris
Bugs: A] format string and buffer-overflow in addLine and
SendString*
B] server freeze through negative numplayers
C] ComsMessageHandler buffer-overflow
D] various crashes and possible code execution in
Logger.cpp
Exploitation: remote, versus server
Date: 02 Nov 2005
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Scorched 3D is a great and well known open source multiplayer game
inspired to the old classic Scorched Earth.
#######################################################################
=======
2) Bugs
=======
---------------------------------------------------------------
A] format string and buffer-overflow in addLine and SendString*
---------------------------------------------------------------
The game is affected by many format string and buffer-overflow bugs
which are "mainly" located in the GLConsole::addLine, all the
ServerCommon::sendString* and ServerCommon::serverLog functions.
All these functions use vsprintf with static buffers of various lengths
(like 1024, 2048 and 10000) and some of them are called from
instructions that pass the user's input (like messages or commands and
values) directly as format argument opening the server also to format
string attacks.
--------------------------------------------
B] server freeze through negative numplayers
--------------------------------------------
Scorched 3D clients use a strange field called numplayers used for
creating a specific number of players in the server (although the
client is only one).
The problem is in the usage of a negative numplayers value which first
bypasses the (signed) check used in the code and then freezes the
server that enters in an almost endless loop located in
ServerConnectHandler.cpp:
for (unsigned int i=0; i<message.getNoPlayers(); i++)
{
addNextTank(destinationId,
ipAddress,
uniqueId.c_str(),
message.getHostDesc(),
false);
}
If the server is protected with a password the attacker must know the
right keyword.
-------------------------------------
C] ComsMessageHandler buffer-overflow
-------------------------------------
Exists a buffer-overflow in the creation of the following error
messages in ComsMessageHandler.cpp:
char buffer[1024];
sprintf(buffer, "Failed to find message type handler \"%s
\"", messageType.c_str());
and
char buffer[1024];
sprintf(buffer, "Failed to handle message type \"%s\"",
messageType.c_str());
For exploiting the bug is enough to use a command longer than the
buffer used by these instructions.
------------------------------------------------------------
D] various crashes and possible code execution in Logger.cpp
------------------------------------------------------------
When an attacker uses some long values, like a big UniqueID, the server
crashes immediately.
The problem is located in some of the functions of Logger.cpp and seems
also possible to execute remote code.
In one of the ways I have found to exploit the bug is needed to know
the keyword of the server if uses a password, but could exist other
better ways to exploit the vulnerability.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/scorchbugs.zip
#######################################################################
======
4) Fix
======
No fix.
No reply from the developers.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org