Bug: Buffer-overflow and NULL pointer crash in Genecys 0.2 ( Ascii Version )

Search:
WLB2

Buffer-overflow and NULL pointer crash in Genecys 0.2

Published
Credit
Risk
2006.05.25
Luigi Auriemma
High
CWE
CVE
Local
Remote
N/A
CVE-2006-2555
CVE-2006-2554
No
Yes

#######################################################################

Luigi Auriemma

Application: Genecys
http://www.genecys.org
Versions: <= 0.2 and current CVS
Platforms: *nix and *BSD
Bugs: A] tell_player_surr_changes buffer-overflow
B] parse_command NULL pointer crash
Exploitation: remote, versus server
Date: 12 May 2006
Author: Luigi Auriemma
e-mail: aluigi at autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Genecys is an open source MMORPG project.


#######################################################################

=======
2) Bugs
=======

-------------------------------------------
A] tell_player_surr_changes buffer-overflow
-------------------------------------------

The function tell_player_surr_changes is affected by a buffer-overflow
which could allow an attacker to execute malicious code.
The problem is caused by the usage of sprintf and strcat on buffers of
256 bytes.

><i>From server/player.c:
</I>
int tell_player_surr_changes(event_t *event)
{
pl_known_t *known, *knext;
object_t *obj;
char buf[256], buf2[256],b2[40];

obj = event->initiator;

for (known=TAILQ_FIRST(&obj->pl->known); known != NULL; known = knext) {
knext = TAILQ_NEXT(known, next);
if (!event->action)
known->lu--;
if (known->bits > 0) {
sprintf(buf, "chob id:%s", uid_sprint(b2, &known->uid));
if (known->bits & PLKN_NROF) {
sprintf(buf2, " nrof:%d", known->nrof);
strcat(buf, buf2);
}
if (known->bits & PLKN_STATE) {
sprintf(buf2, " st:%d", known->state);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAME) {
sprintf(buf2, " nm:"%s"", known->name);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAMEPL) {
sprintf(buf2, " nmp:"%s"", known->name_pl);
strcat(buf, buf2);
}
if (known->bits & PLKN_MODEL) {
sprintf(buf2, " mdl:"%s"", known->model);
strcat(buf, buf2);
}
...

Note: has not been possible to test this bug in practice due to some
problems while running my test server.


-----------------------------------
B] parse_command NULL pointer crash
-----------------------------------

The function which parses the commands sent by the client doesn't check
the return value of a strchr call used for parsing the commands and
their values (CMD:VAL).
If the attacker doesn't use the ':' char the server will crash due to
the access to a NULL pointer.

><i>From common/netparser.c:
</I>
pargs_t *parse_command(char **words, int *command, int count)
{
argtable_t *asp, dummy;
char *cp, *tmp, *p;
size_t span;
...
args = safer_malloc(sizeof(pargs_t)*numargs);
cur = 0;
for (i=1; i < count && words[i] != NULL && *words[i]; i++) {
span = strcspn(words[i], ":");
tmp = strchr(words[i], ':');
tmp++;
...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genecysbof.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers... the game seems no longer supported.


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org










See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version