[Full-disclosure] Format string bug in Skulltag 0.96f

2006-04-24T00:00:00
ID SECURITYVULNS:DOC:12385
Type securityvulns
Reporter Securityvulns
Modified 2006-04-24T00:00:00

Description

                         Luigi Auriemma

Application: Skulltag http://www.skulltag.com Versions: <= 0.96f Platforms: Windows Bug: format string Exploitation: remote, versus server Date: 23 Apr 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org

1) Introduction 2) Bug 3) The Code 4) Fix

=============== 1) Introduction ===============

Skulltag is a well known and supported Doom engine mainly based on Zdoom and focused on online gaming. Unfortunately it's released as closed source although it uses open source code.

====== 2) Bug ======

The server is affected by a format string vulnerability exploitable when a client passes a wrong version string. The following are the bugged instructions in the 0.96f executable:

  • Reference To: MSVCRT.sprintf, Ord:02B2h | :004DCCC3 8B3D30415900 mov edi, dword ptr [00594130] :004DCCC9 8D4C2424 lea ecx, dword ptr [esp+24] :004DCCCD 50 push eax ; client's version :004DCCCE 51 push ecx ; buffer :004DCCCF FFD7 call edi ; sprintf()

traduced in:

sprintf(buffer, version_sent_by_the_client);

The exploitation happens "outside" the server so there are no banning and password limitations for the attacker. The only so called obstacle happens when the server is full because it can't be attacked during this (rare) state. A note about the possible code execution, the subsequent instructions use the strupr function which converts almost all the chars in the string to upper cases.

=========== 3) The Code ===========

http://aluigi.altervista.org/poc/skulltagfs.zip

====== 4) Fix ======

The developer has been contacted and has fixed the bug only in his private development version which will be released probably this summer. So there is no fix available.

Fortunately the bug is enough simple to fix so I have created an unofficial patch which adds the argument "%s" to sprintf. This solution is enough since is not possible to overflow the buffer (so no need of snprintf or "%.*s"):

http://aluigi.altervista.org/patches/skulltagfs-fix.zip


Luigi Auriemma http://aluigi.altervista.org


Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/