Bug: Server crash in Empire 4.3.2 ( Ascii Version )

Search:
WLB2

Server crash in Empire 4.3.2

Published
Credit
Risk
2006.05.17
Luigi Auriemma (aluigi autistici org)
Low
CWE
CVE
Local
Remote
N/A
CVE-2006-2393
Yes
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

#######################################################################

Luigi Auriemma

Application: Empire
http://www.wolfpackempire.com
http://sourceforge.net/projects/empserver
Versions: <= 4.3.2
Platforms: Windows, *nix, *BSD and more
Bug: crash caused by strncat misuse
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Empire is a well known multiplayer Internet war game.

#######################################################################

======
2) Bug
======

The bug is a server's crash caused by the access to an invalid zone of
the memory.
That happens due to the misuse of strncat in the client_cmd function
for adding the text strings sent by the attacker to the player->client
buffer.

From lib/player/login.c:

static int
client_cmd(void)
{
int i;

if (!player->argp[1])
return RET_SYN;

for (i = 1; player->argp[i]; ++i) {
if (i > 1)
strncat(player->client, " ", sizeof(player->client) - 1);
strncat(player->client, player->argp[i], sizeof(player->client) - 1);
}
player->client[sizeof(player->client) - 1] = '';
pr_id(player, C_CMDOK, "talking to %sn", player->client);
return RET_OK;
}

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/empiredos.zip

#######################################################################

======
4) Fix
======

Current CVS has been patched.
Anyway the following is the diff created by the developers:

--- login.c.~1.37.~ 2006-04-26 20:50:40.000000000 +0200
+++ login.c 2006-05-09 08:36:04.000000000 +0200
@@ -133,17 +133,23 @@ player_login(void *ud)
static int
client_cmd(void)
{
- int i;
+ int i, sz;
+ char *p, *end;

if (!player->argp[1])
return RET_SYN;

+ p = player->client;
+ end = player->client + sizeof(player->client) - 1;
for (i = 1; player->argp[i]; ++i) {
if (i > 1)
- strncat(player->client, " ", sizeof(player->client) - 1);
- strncat(player->client, player->argp[i], sizeof(player->client) - 1);
+ *p++ = ' ';
+ sz = strlen(player->argp[i]);
+ sz = MIN(sz, end - p);
+ memcpy(p, player->argp[i], sz);
+ p += sz;
}
- player->client[sizeof(player->client) - 1] = '';
+ *p = 0;
pr_id(player, C_CMDOK, "talking to %sn", player->client);
return RET_OK;
}

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version