SecurityvulnsSECURITYVULNS:DOC:13448Format string bug in Sparklet 0.9.4try3
#######################################################################
Luigi Auriemma
Application: Sparklet
http://sparklet.sourceforge.net
Versions: <= 0.9.4try3
Platforms: Windows, *nix, *BSD and more
Bug: format string in client's display
Exploitation: remote, versus clients
Date: 06 Jul 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
Sparklet is a nice multiplayer 2d shooting game released under the GPL
license.
#######################################################################
======
2) Bug
The game is affected by a format string vulnerability located in the
function which visualizes the text strings on the client screen during
the match.
The problem is located in agl_text.cpp where is missed the "%s" format
argument:
void WriteText(const Point<float> &DstLoc, const std::string &Text, const int &Font, const ULONG
&Color) {
…
allegro_gl_printf_ex(fnt, x, y, 0, Text.c_str());
…
Through this bug an attacker on a server or a client (the server is not
vulnerable since it simply forwards all the received data to all the
clients connected to it) can crash or execute malicious code versus any
client which is playing on the server.
#######################################################################
===========
3) The Code
Use the nickname %n%n%n%n%n
#######################################################################
======
4) Fix
A new version will be released soon
#######################################################################
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org