####################################################################### Luigi Auriemma Application: FlatFrag http://www.tzi.de/~jfk/projects/flatfrag/ Versions: <= 0.3 Platforms: Windows, Linux and more Bugs: A] buffer-overflow B] NULL pointer crash Exploitation: remote, versus server Date: 02 Nov 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== FlatFrag is an open source multiplayer action shooter game developed by Johannes Kuhlmann. ####################################################################### ======= 2) Bugs ======= ------------------ A] buffer-overflow ------------------ The receiver() function in server/loop.c contains 3 buffer-overflow caused by the usage of strcpy() for copying the version, the name and the model sent by the client to 3 buffers of respectively 64, 32 and 32 bytes. --------------------- B] NULL pointer crash --------------------- When the server receives the NT_CONN_OK command from an unconnected client it calls net_on_receive(NULL, NULL) which is a function pointer that reads the data contained in the stream passed as second argument. The problem is just in the NULL pointers passed to the function which lead to the immediate crash of the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/flatfragz.zip ####################################################################### ====== 4) Fix ====== No fix. The bugs will be patched in the next version. #######################################################################