NULL pointer in ZDaemon 1.08.07

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, packet@xxxxxxxxxxxxxxxxxxxxxxx, cert@xxxxxxxx, news@xxxxxxxxxxxxxx
Subject: NULL pointer in ZDaemon 1.08.07
From: Luigi Auriemma <aluigi@xxxxxxxxxxxxx>
Date: Tue, 22 Jul 2008 00:02:21 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#######################################################################

                             Luigi Auriemma

Application:  ZDaemon
              http://www.zdaemon.org
Versions:     <= 1.08.07
Platforms:    Windows and Linux
Bug:          NULL pointer
Exploitation: remote, versus server (in-game)
Date:         21 Jul 2008
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxx
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


ZDaemon is one of the most played multiplayer ports of the Doom engine
and at the same time one of the most criticized too.


#######################################################################

======
2) Bug
======


The ZDaemon server is affected by a NULL pointer vulnerability which
allows an attacker to crash it when a specific type of command (type 6)
is used.

The attacker needs to join the server for exploiting this bug so his IP
address must be not banned and he must know the right keyword if the
server is protected with a password.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/zdaemonull.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://backup.aluigi.org
http://mirror.aluigi.org

Prev by Date: [ GLSA 200807-12 ] BitchX: Multiple vulnerabilities
Next by Date: FGA-2008-16: EMC Dantz Retrospect 7 backup Server Authentication Module Weak Password Hash Arithmetic Vulnerability
Previous by thread: [ GLSA 200807-12 ] BitchX: Multiple vulnerabilities
Next by thread: FGA-2008-16: EMC Dantz Retrospect 7 backup Server Authentication Module Weak Password Hash Arithmetic Vulnerability
Index(es):
- Date
- Thread