####################################################################### Luigi Auriemma Application: Freeciv http://www.freeciv.org Versions: <= 2.2.1 Platforms: Windows, Linux, MacOSX Bugs: A] malloc exception B] endless loop Exploitation: remote, versus server Date: 03 Jul 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Freeciv is an open source clone of the Civilization game. ####################################################################### ======= 2) Bugs ======= ------------------- A] malloc exception ------------------- FreeCiv supports a particular type of packet used to identify the compressed streams and it's called "jumbo" packet. In common/packet.c we find the following instructions: if (len_read == JUMBO_SIZE) { compressed_packet = TRUE; header_size = 6; if (dio_input_remaining(&din) >= 4) { dio_get_uint32(&din, &whole_packet_len); ... uLong compressed_size = whole_packet_len - header_size; ... unsigned long int decompressed_size = 100 * compressed_size; void *decompressed = fc_malloc(decompressed_size); So if the stored whole_packet_len 32bit value is minor than 6 (header_size) then the server will try to allocate an amount of memory that is 100 times the negative number resulted from the difference of this two values. The result is the termination of the server: 0: Detected fatal error in ../../utility/mem.c line 41: 0: Out of memory trying to malloc 4294966696 bytes at line 373 of ../../common/packets.c. Assertion failed: FALSE, file ../../utility/shared.c, line 758 --------------- B] endless loop --------------- The packets PACKET_PLAYER_INFO, PACKET_GAME_INFO, PACKET_EDIT_PLAYER_CREATE, PACKET_EDIT_PLAYER_REMOVE. PACKET_EDIT_CITY and PACKET_EDIT_PLAYER use some particular functions that can be tricked into an endless loop that freezes the server with CPU at 100%. For both the problems there are no requirements because they can be exploited in pre-auth/pre-join stage. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/freecivet.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################