Server crash and motd deletion in MultiTheftAuto 0.5 patch 1

2005.09.27
Credit: Luigi Auriemma
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2005-3065
CWE: N/A


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

####################################################################### Luigi Auriemma Application: MultiTheftAuto http://www.multitheftauto.com Versions: <= 0.5 patch 1 Platforms: Windows, Linux, FreeBSD and OpenBSD Bugs: A] anyone can modify the motd B] Windows server crash Exploitation: remote, versus server Date: 25 Sep 2005 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== MultiTheftAuto (MTA) is a closed-source mod and server for the games Grand Theft Auto III (http://www.rockstargames.com/grandtheftauto3/) and Grand Theft Auto: Vice City (http://www.rockstargames.com/vicecity/pc/) which adds multiplayer capabilities to them. ####################################################################### ======= 2) Bugs ======= Both the following bugs are directly related but have been separated since the effects change between the available versions for the supported platforms: ----------------------------- A] anyone can modify the motd ----------------------------- The MTA server has the remote administration option enabled by default. The problem is the existence of an undocumented command (number 40) which allows the modification or the deletion of the content of the motd.txt file used for the message of the day. This is the only command which doesn't check if the client is an admin so anyone without permissions has access to it. ----------------------- B] Windows server crash ----------------------- The command 40 is also the cause of another problem located in the same function which seems incomplete or experimental as showed by the following "retrieved" code: // open file for writing "w" length = *(u_int *)(src - (src % 4096)); for(i = j = 0; i < length; i++) { if(src[i] == 'n') dst[j++] = 'r'; dst[j++] = src[i]; if(j < 1024) continue; if(!WriteFile(...)) break; j = 0; } // close file length is -1 so the function starts an almost endless loop which stops when the source buffer points to an unallocated zone of the memory. The result is the immediate crash of the MTA server. Seems that only the Windows server is affected by the crash because on Linux the function is substituited with the following "still incorrect" instruction which doesn't produce exceptions: fd = fopen("motd.txt", "w"); fwrite(data + 4, 1, data, fd); // yes data is the buffer fclose(fd); ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/mtaboom.zip ####################################################################### ====== 4) Fix ====== The developers have said that MTA is no longer supported. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top