<<< Date Index >>>     <<< Thread Index >>>

Possible code execution in Kaillera 0.86



#######################################################################

                             Luigi Auriemma

Application:  Kaillera
              http://www.kaillera.com
Versions:     <= 0.86
Platforms:    Windows, Linux and FreeBSD
Bug:          buffer-overflow
Exploitation: remote, versus server
Date:         06 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Kaillera is a middleware software for implementing network capabilities
in emulators like MAME, MameLang32+, Bliss, NESten, Jnes, Nemu64,
Modeler, Gens, WinUAE, PCAE, Kawaks and possibly others.
Although the latest server's version has been released over 4 years ago
it's still widely used as demonstrated by the online servers lists.


#######################################################################

======
2) Bug
======


The handling of almost all the Kaillera messages is made through the
reading of the first NULL terminated string and the subsequent reading
of the remaining data in the message (its content will be parsed in
another step).
For these operations Kaillera uses a static buffer of 32 bytes and a
data buffer which is reallocated everytime that the size of the client
message is bigger than the actual allocated size of the buffer.
The instructions which handle these types of messages start from about
offset 004019f1 of the Windows server 0.86:

004019F1  |. 33C9           XOR ECX,ECX
004019F3  |. 8A06           MOV AL,BYTE PTR DS:[ESI]
004019F5  |. 57             PUSH EDI
004019F6  |. 84C0           TEST AL,AL
004019F8  |. 74 0C          JE SHORT KAILLERA.00401A06
004019FA  |> 46             /INC ESI
004019FB  |. 88440B 04      |MOV BYTE PTR DS:[EBX+ECX+4],AL
004019FF  |. 41             |INC ECX
00401A00  |. 8A06           |MOV AL,BYTE PTR DS:[ESI]
00401A02  |. 84C0           |TEST AL,AL
00401A04  |.^75 F4          \JNZ SHORT KAILLERA.004019FA
00401A06  |> 8B6C24 18      MOV EBP,DWORD PTR SS:[ESP+18]
00401A0A  |. C64419 04 00   MOV BYTE PTR DS:[ECX+EBX+4],0
00401A0F  |. 2BE9           SUB EBP,ECX
00401A11  |. 8BCB           MOV ECX,EBX
00401A13  |. 83ED 02        SUB EBP,2
00401A16  |. 55             PUSH EBP
00401A17  |. E8 D4FCFFFF    CALL KAILLERA.004016F0
00401A1C  |. 8B7B 24        MOV EDI,DWORD PTR DS:[EBX+24]
00401A1F  |. 8BCD           MOV ECX,EBP
00401A21  |. 8BD1           MOV EDX,ECX
00401A23  |. 46             INC ESI
00401A24  |. C1E9 02        SHR ECX,2
00401A27  |. F3:A5          REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>

which can be traduced (plus or less) in C like the following code:

    static char nick[32],
                *data;
    ...
    int     nick_size,
            data_size;

    for(nick_size = 0; *client_msg; nick_size++, client_msg++) {
        nick[nick_size] = *client_msg;
    }
    nick[nick_size] = 0;
    client_msg++;
    data_size = (client_msg_size - nick_size) - 2;
    data      = 004016f0(data_size);    // realloc data if needed
    memcpy(data, client_msg, data_size);

    ...

    004016f0(int size) {
        if(size <= data_alloc_size) return;
        do {
            data_alloc_size <<= 1;
        } while(size > data_alloc_size);
        data = realloc(data, data_alloc_size);
    }

If an attacker uses a nickname longer than 32 bytes he can overwrite
the address of the data buffer and the value in which is stored its
actual allocated size, the following scheme shows that piece of memory:

 ooooooooooooooooooooooooooooooooXXXXYYYY
 |                               |   |
 |                               |   amount of data currently allocated
 |                               pointer to the data buffer
 static buffer of 32 bytes

With the overwriting of YYYY we can bypass the first check made by the
function at offset 004016f0 which does a realloc of the buffer if
needed since we control the actual allocated size and then we can
decide where copying the rest of our message in the memory of the
server since the address of data XXXX is controlled by us too.
That leads to the possibility of executing malicious code.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/kailleraex.zip


#######################################################################

======
4) Fix
======


The developers will release a new version soon


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org