Netrek 2.12.0 - pmessage2 Remote Limited Format String Exploit

2007-03-02T00:00:00
ID EDB-ID:3399
Type exploitdb
Reporter Luigi Auriemma
Modified 2007-03-02T00:00:00

Description

Netrek 2.12.0 pmessage2() Remote Limited Format String Exploit. CVE-2007-1251. Dos exploit for windows platform

                                        
                                            #######################################################################

                            Luigi Auriemma
Application:  Netrek
              http://www.netrek.org
Versions:     <= 2.12.0 (Vanilla server)
Platforms:    *nix and Windows
Bug:          format string
Exploitation: remote (in-game)
Date:         02 Mar 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Netrek is a well known real-time strategy game inspired to Star Trek.

#######################################################################

======
2) Bug
======

The Vanilla server is affected by a format string vulnerability caused
by the calling of the pmessage2() function without the needed format
argument.

The bug is located in new_warning() and can be exploitated through the
locking of a player (the same attacker too) who is using a malformed
nickname.

Note that the EVENTLOG switch must be enabled for exploiting this
vulnerability (default is disabled).

from ntserv/warning.c:

void new_warning(int index, const char *fmt, ...) {

 char temp[150];

 va_list args;
 va_start(args, fmt);

 vsprintf(temp, fmt, args);

 ...

 if (eventlog) {

   char from_str[9]="WRN->\0\0\0";

   strcat(from_str, me->p_mapchars);
   pmessage2(0, 0, from_str, me->p_no, temp);
 }


#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/netrekfs.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/3399.zip (03022007-netrekfs.zip)

#######################################################################

======
4) Fix
======

Version 2.12.1

#######################################################################


# milw0rm.com [2007-03-02]