Application: Skulltag http://www.skulltag.com Versions: <= 0.96f Platforms: Windows Bug: format string Exploitation: remote, versus server Date: 23 Apr 2006 Author: Luigi Auriemma e-mail: email@example.com web: http://aluigi.altervista.org
1) Introduction 2) Bug 3) The Code 4) Fix
=============== 1) Introduction ===============
Skulltag is a well known and supported Doom engine mainly based on Zdoom and focused on online gaming. Unfortunately it's released as closed source although it uses open source code.
====== 2) Bug ======
The server is affected by a format string vulnerability exploitable when a client passes a wrong version string. The following are the bugged instructions in the 0.96f executable:
The exploitation happens "outside" the server so there are no banning and password limitations for the attacker. The only so called obstacle happens when the server is full because it can't be attacked during this (rare) state. A note about the possible code execution, the subsequent instructions use the strupr function which converts almost all the chars in the string to upper cases.
=========== 3) The Code ===========
====== 4) Fix ======
The developer has been contacted and has fixed the bug only in his private development version which will be released probably this summer. So there is no fix available.
Fortunately the bug is enough simple to fix so I have created an unofficial patch which adds the argument "%s" to sprintf. This solution is enough since is not possible to overflow the buffer (so no need of snprintf or "%.*s"):
Luigi Auriemma http://aluigi.altervista.org
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/