#######################################################################
Luigi Auriemma
Application: Toribash
http://www.toribash.com
Versions: <= 2.71
Platforms: Windows, Mac and Linux
Bugs: A] dedicated server format string
B] client commands buffer-overflow
C] client unicode buffer-overflow in the SAY command
D] server crash through uninitialized values
E] line-feed dropping
F] Windows dedicated server hell bell
G] clients kicked by malformed packet
Exploitation: A, D and F versus server
B locally versus clients
all the others remotely versus clients using servers as
"bridge" for the attacks (the attacker acts as a client)
Date: 17 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Toribash is a turn-based multiplayer game in which two players fight
using violent puppets.
The game servers naturally support spectators and there are some
official and non-official leagues and championship for this game, other
than some mods for emulating specific martial arts.
#######################################################################
=======
2) Bugs
=======
---------------------------------
A] dedicated server format string
---------------------------------
A format string vulnerability is exploitable when a client enters in
the match, in this occasion a string containing
"BOUT ID; 1 0 0 0 0 0 NICKNAME 0" is passed directly to vfprintf(), so
the nickname of the client, limited to 32 chars, can be used by an
attacker as format argument.
----------------------------------
B] client commands buffer-overflow
----------------------------------
A buffer-overflow is located in the client's function which reads the
game commands.
The problem is caused by the calling of sscanf() with the format string
"%s %i" and an output buffer of about 256 bytes.
This bug can be exploited in two different ways:
- locally using a malicious replay file (*.rpl)
- remotely through a malicious server controlled by the attacker
Replays are an essential component of the game since are very used for
recording and watching the best matches.
The other way for exploiting the bug isn't so much realistic since
doesn't exist a master server for making the own server public for
anyone.
----------------------------------------------------
C] client unicode buffer-overflow in the SAY command
----------------------------------------------------
This problem is directly related to bug E.
As written there that bug forces the server to send commands without
the final line-feed and so they are not processed by the client until
the reception of this char.
An attacker can use this same bug for concatenating two or more
commands (ever using the server as a "bridge"), in the case of the SAY
command we will have that the server sends max 512 bytes of data for
this command and an unicode buffer-overflow happens in the client if
receives a SAY of over 1024 chars.
The only limitation is that the attacker (client) doesn't seem to be
able to control the return address because it's overwritten by the
subsequent command sent by the server:
SAY 0;nick: aaa...aaa??@SAY 0;nick: aaa...aaa??@COMMAND
first 512 bytes second 512 bytes subsequent command
The other possibility of exploiting this bug is naturally with the
controlling of a server in which is possible to overwrite the return
address with our unicode chars, but as already written in the previous
bug it's not a realistic way.
--------------------------------------------
D] server crash through uninitialized values
--------------------------------------------
When a client joins a server an ID of -1 is assigned to it and no data
is allocated until the ENTER command is called.
An attacker can join a server and send the GRIP command with the ID set
to -1 for forcing the server to handle it (since the ID is correct) but
the structure which will contain the values received by the client is
NULL and so it will fall in the following situation:
sscanf("0 0n", "%i %i", &client.integer1, &client.integer2);
where "0 0n" is the second part of the GRIP command sent by the client
("GRIP -1;0 0n") while client.integer1 points to 0x000030d0 and
client.integer2 to 0x000030d4 since the structure which should contain
them is a NULL pointer.
---------------------
E] line-feed dropping
---------------------
The protocol used by Toribash is composed by commands delimited by
line-feed chars, like common telnet connections.
An attacker can block the clients which are playing in the server
simply sending a chat message (or possibly other commands) which forces
the server to send only a part of the incoming data to the other
clients since, in the case of the SAY command, it automatically limits
the outgoing data to max 512 bytes forgotting to add the line-feed char
needed by the client to handle the received command.
The effect of this problem is that the clients will remain freezed
until a line-feed is received.
-------------------------------------
F] Windows dedicated server hell bell
-------------------------------------
This type of Denial of Service could seem something like a joke but it
works terribly well.
The problem of the dedicated server is that it shows tons of
informations in the console and the clients can force the server to
show how much chars they want using some specific commands.
These chars are not filtered so an attacker could use many invalid
chars (max 4096, line-feed included) like the bell 0x07 for freezing
the Windows dedicated server through the bell heard in the console.
The effects are just the slowness of the entire system, the complete
freezing of the game server and the PC speaker yelling as a damned.
-------------------------------------
G] clients kicked by malformed packet
-------------------------------------
If an attacker joins the match (ENTER command) and sends a too long
emote or SPEC command to a server, all the clients playing in it will
be disconnected with the "malformed packet" message.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/toribashish.zip
#######################################################################
======
4) Fix
======
Vulnerability E and a variant of C were reported to the developers in
October 2006. I understand that they are not code execution bugs and I
considered them as low priority at that time but in all the versions
which have been released from that date they have never been fixed.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org