Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12661
HistoryMay 13, 2006 - 12:00 a.m.

[Full-disclosure] Server crash in Empire 4.3.2

2006-05-1300:00:00
vulners.com
5

#######################################################################

                         Luigi Auriemma

Application: Empire
http://www.wolfpackempire.com
http://sourceforge.net/projects/empserver
Versions: <= 4.3.2
Platforms: Windows, *nix, *BSD and more
Bug: crash caused by strncat misuse
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Empire is a well known multiplayer Internet war game.

#######################################################################

======
2) Bug

The bug is a server's crash caused by the access to an invalid zone of
the memory.
That happens due to the misuse of strncat in the client_cmd function
for adding the text strings sent by the attacker to the player->client
buffer.

>From lib/player/login.c:

static int
client_cmd(void)
{
int i;

if &#40;!player-&gt;argp[1]&#41;
    return RET_SYN;

for &#40;i = 1; player-&gt;argp[i]; ++i&#41; {
    if &#40;i &gt; 1&#41;
        strncat&#40;player-&gt;client, &quot; &quot;, sizeof&#40;player-&gt;client&#41; - 1&#41;;
    strncat&#40;player-&gt;client, player-&gt;argp[i], sizeof&#40;player-&gt;client&#41; - 1&#41;;
}
player-&gt;client[sizeof&#40;player-&gt;client&#41; - 1] = &#39;&#92;0&#39;;
pr_id&#40;player, C_CMDOK, &quot;talking to &#37;s&#92;n&quot;, player-&gt;client&#41;;
return RET_OK;

}

#######################################################################

===========
3) The Code

http://aluigi.org/poc/empiredos.zip

#######################################################################

======
4) Fix

Current CVS has been patched.
Anyway the following is the diff created by the developers:

— login.c.~1.37.~ 2006-04-26 20:50:40.000000000 +0200
+++ login.c 2006-05-09 08:36:04.000000000 +0200
@@ -133,17 +133,23 @@ player_login(void *ud)
static int
client_cmd(void)
{

  • int i;
  • int i, sz;

  • char *p, *end;

    if (!player->argp[1])
    return RET_SYN;

  • p = player->client;

  • end = player->client + sizeof(player->client) - 1;
    for (i = 1; player->argp[i]; ++i) {
    if (i > 1)

  •       strncat&#40;player-&gt;client, &quot; &quot;, sizeof&#40;player-&gt;client&#41; - 1&#41;;
    
  •   strncat&#40;player-&gt;client, player-&gt;argp[i], sizeof&#40;player-&gt;client&#41; - 1&#41;;
    
  •       *p++ = &#39; &#39;;
    
  •   sz = strlen&#40;player-&gt;argp[i]&#41;;
    
  •   sz = MIN&#40;sz, end - p&#41;;
    
  •   memcpy&#40;p, player-&gt;argp[i], sz&#41;;
    
  •   p += sz;
    
    }
  • player->client[sizeof(player->client) - 1] = '\0';
  • *p = 0;
    pr_id(player, C_CMDOK, "talking to %s\n", player->client);
    return RET_OK;
    }

#######################################################################


Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/