Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11965
HistoryMar 27, 2006 - 12:00 a.m.

Socket unreachable and decompression buffer-overflow in Vavoom 1.19.1

2006-03-2700:00:00
vulners.com
6

#######################################################################

                         Luigi Auriemma

Application: Vavoom
http://www.vavoom-engine.com
Versions: <= 1.19.1
Platforms: Windows, DOS, *nix, *BSD and more
Bugs: A] socket unreachable
B] decompression crash
Exploitation: remote, versus server and client
Date: 26 Mar 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Vavoom is an open source engine based on the GPLed Doom engine with
many interesting features.
Although it supports multiplayer, it still doesn't have a master server
for online gaming.

#######################################################################

=======
2) Bugs


A] socket unreachable

The game uses an asyncronous socket through the FIONREAD command.
When a packet with no data in it (0 length) or bigger than 4096 bytes
(max size supported by the game) is received, the game continues to
see and skip ever the same packet which returns 0 or -1 (endless loop)
and nobody is able to join and play.
The only way to restore the situation is restarting the server.


B] decompression crash

Exists a buffer-overflow in the handling of the compressed packets.
Anyway is not possible (I have found no ways) to exploit it for
executing malicious code, so the only effect is the immediate
termination of the program.

The problem is caused by the lack of checks on the comprLength value
passed by the attacker for specifying and limiting the uncompressed
size of the compressed data located in the packet.
The buffer in which is uncompressed the data is packetBuffer.data of
1024 bytes.

From Datagram_GetMessage in source/net_dgrm.cpp:

uLongf DecomprLength = comprLength;
if (uncompress(packetBuffer.data, &DecomprLength,
CompressedData, length - NET_HEADERSIZE) != Z_OK)

#######################################################################

===========
3) The Code

http://aluigi.altervista.org/poc/vaboom.zip

#######################################################################

======
4) Fix

No fix.
No reply from the developers.

#######################################################################