Netrek 2.12.0 pmessage2() Remote Limited Format String Exploit

2007-03-02T00:00:00
ID 1337DAY-ID-6325
Type zdt
Reporter Luigi Auriemma
Modified 2007-03-02T00:00:00

Description

Exploit for unknown platform in category dos / poc

                                        
                                            ==============================================================
Netrek 2.12.0 pmessage2() Remote Limited Format String Exploit
==============================================================

#######################################################################

                            Luigi Auriemma
Application:  Netrek
              http://www.netrek.org
Versions:     <= 2.12.0 (Vanilla server)
Platforms:    *nix and Windows
Bug:          format string
Exploitation: remote (in-game)

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Netrek is a well known real-time strategy game inspired to Star Trek.

#######################################################################

======
2) Bug
======

The Vanilla server is affected by a format string vulnerability caused
by the calling of the pmessage2() function without the needed format
argument.

The bug is located in new_warning() and can be exploitated through the
locking of a player (the same attacker too) who is using a malformed
nickname.

Note that the EVENTLOG switch must be enabled for exploiting this
vulnerability (default is disabled).

from ntserv/warning.c:

void new_warning(int index, const char *fmt, ...) {

 char temp[150];

 va_list args;
 va_start(args, fmt);

 vsprintf(temp, fmt, args);

 ...

 if (eventlog) {

   char from_str[9]="WRN->\0\0\0";

   strcat(from_str, me->p_mapchars);
   pmessage2(0, 0, from_str, me->p_no, temp);
 }


#######################################################################

===========
3) The Code
===========

http://www.inj3ct0r.com/sploits/6325.zip

#######################################################################

======
4) Fix
======

Version 2.12.1

#######################################################################




#  0day.today [2018-04-01]  #