Limited format string in Netrek 2.12.0
#######################################################################
Luigi Auriemma
Application: Netrek
http://www.netrek.org
Versions: <= 2.12.0 (Vanilla server)
Platforms: *nix and Windows
Bug: format string
Exploitation: remote (in-game)
Date: 02 Mar 2007
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Netrek is a well known real-time strategy game inspired to Star Trek.
#######################################################################
======
2) Bug
======
The Vanilla server is affected by a format string vulnerability caused
by the calling of the pmessage2() function without the needed format
argument.
The bug is located in new_warning() and can be exploitated through the
locking of a player (the same attacker too) who is using a malformed
nickname.
Note that the EVENTLOG switch must be enabled for exploiting this
vulnerability (default is disabled).
from ntserv/warning.c:
void new_warning(int index, const char *fmt, ...) {
char temp[150];
va_list args;
va_start(args, fmt);
vsprintf(temp, fmt, args);
...
if (eventlog) {
char from_str[9]="WRN->\0\0\0";
strcat(from_str, me->p_mapchars);
pmessage2(0, 0, from_str, me->p_no, temp);
}
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/netrekfs.zip
#######################################################################
======
4) Fix
======
Version 2.12.1
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org