#######################################################################
Luigi Auriemma
Application: Vavoom
http://www.vavoom-engine.com
Versions: <= 1.19.1
Platforms: Windows, DOS, *nix, *BSD and more
Bugs: A] socket unreachable
B] decompression crash
Exploitation: remote, versus server and client
Date: 26 Mar 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
Vavoom is an open source engine based on the GPLed Doom engine with
many interesting features.
Although it supports multiplayer, it still doesn't have a master server
for online gaming.
#######################################################################
The game uses an asyncronous socket through the FIONREAD command.
When a packet with no data in it (0 length) or bigger than 4096 bytes
(max size supported by the game) is received, the game continues to
see and skip ever the same packet which returns 0 or -1 (endless loop)
and nobody is able to join and play.
The only way to restore the situation is restarting the server.
Exists a buffer-overflow in the handling of the compressed packets.
Anyway is not possible (I have found no ways) to exploit it for
executing malicious code, so the only effect is the immediate
termination of the program.
The problem is caused by the lack of checks on the comprLength value
passed by the attacker for specifying and limiting the uncompressed
size of the compressed data located in the packet.
The buffer in which is uncompressed the data is packetBuffer.data of
1024 bytes.
From Datagram_GetMessage in source/net_dgrm.cpp:
…
uLongf DecomprLength = comprLength;
if (uncompress(packetBuffer.data, &DecomprLength,
CompressedData, length - NET_HEADERSIZE) != Z_OK)
…
#######################################################################
http://aluigi.altervista.org/poc/vaboom.zip
#######################################################################
No fix.
No reply from the developers.
#######################################################################