Buffer-overflow in recvTextMessage and NETrecvFile in Warzone Resurrection 2.0.3 (SVN 127)

2006.07.27
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Warzone Resurrection http://home.gna.org/warzone/ (Warzone 2100 http://www.strategyplanet.com/warzone2100/) Versions: <= 2.0.3 and SVN <= 127 Platforms: Windows, *nix, *BSD and others Bug: A] buffer-overflow in recvTextMessage B] buffer-overflow in NETrecvFile Exploitation: A] remote, versus server B] remote, versus client Date: 22 Jul 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Warzone 2100 is a well known commercial game developed by Pumpkin Studios and released under the GPL license at the end of 2004. Warzone Resurrection is the project which continues the development and the maintaining of this game. ####################################################################### ====== 2) Bug ====== ------------------------------------- A] buffer-overflow in recvTextMessage ------------------------------------- recvTextMessage is the function used by the server for handling the text messages sent by the clients. This function uses the msg buffer, which has a size of 256 (MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to send to all the other clients using the following format: player_name : message The size of the data block can be max 8000 (MaxMsgSize) bytes so an attacker can cause a buffer-overflow for crashing the server or executing malicious code. From src/multiplay.c: BOOL recvTextMessage(NETMSG *pMsg) { DPID dpid; UDWORD i; STRING msg[MAX_CONSOLE_STRING_LENGTH]; NetGet(pMsg,0,dpid); for(i = 0; NetPlay.players[i].dpid != dpid; i++); //findplayer strcpy(msg,NetPlay.players[i].name); // name strcat(msg," : "); // seperator strcat(msg, &(pMsg->body[4])); ... --------------------------------- B] buffer-overflow in NETrecvFile --------------------------------- The NETrecvFile function used by the clients for downloading remote files is affected by a buffer-overflow caused by the copying of a string of max 255 bytes in the fileName buffer of only 128 bytes. From lib/netplay/netplay.c: UBYTE NETrecvFile(NETMSG *pMsg) { UDWORD pos, fileSize, currPos, bytesRead; char fileName[128]; unsigned int len; static PHYSFS_file *pFileHandle; //read incoming bytes. NetGet(pMsg,0,fileSize); NetGet(pMsg,4,bytesRead); NetGet(pMsg,8,currPos); // read filename len = (unsigned int)(pMsg->body[12]); memcpy(fileName,&(pMsg->body[13]),len); ... ####################################################################### =========== 3) The Code =========== A] modify sendTextMessage using a message of more than 256 bytes B] modify sendMap using a map of more than 128 bytes ####################################################################### ====== 4) Fix ====== SVN 128 ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top