####################################################################### Luigi Auriemma Application: Genecys http://www.genecys.org Versions: <= 0.2 and current CVS Platforms: *nix and *BSD Bugs: A] tell_player_surr_changes buffer-overflow B] parse_command NULL pointer crash Exploitation: remote, versus server Date: 12 May 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Genecys is an open source MMORPG project. ####################################################################### ======= 2) Bugs ======= ------------------------------------------- A] tell_player_surr_changes buffer-overflow ------------------------------------------- The function tell_player_surr_changes is affected by a buffer-overflow which could allow an attacker to execute malicious code. The problem is caused by the usage of sprintf and strcat on buffers of 256 bytes. From server/player.c: int tell_player_surr_changes(event_t *event) { pl_known_t *known, *knext; object_t *obj; char buf[256], buf2[256],b2[40]; obj = event->initiator; for (known=TAILQ_FIRST(&obj->pl->known); known != NULL; known = knext) { knext = TAILQ_NEXT(known, next); if (!event->action) known->lu--; if (known->bits > 0) { sprintf(buf, "chob id:%s", uid_sprint(b2, &known->uid)); if (known->bits & PLKN_NROF) { sprintf(buf2, " nrof:%d", known->nrof); strcat(buf, buf2); } if (known->bits & PLKN_STATE) { sprintf(buf2, " st:%d", known->state); strcat(buf, buf2); } if (known->bits & PLKN_NAME) { sprintf(buf2, " nm:\"%s\"", known->name); strcat(buf, buf2); } if (known->bits & PLKN_NAMEPL) { sprintf(buf2, " nmp:\"%s\"", known->name_pl); strcat(buf, buf2); } if (known->bits & PLKN_MODEL) { sprintf(buf2, " mdl:\"%s\"", known->model); strcat(buf, buf2); } ... Note: has not been possible to test this bug in practice due to some problems while running my test server. ----------------------------------- B] parse_command NULL pointer crash ----------------------------------- The function which parses the commands sent by the client doesn't check the return value of a strchr call used for parsing the commands and their values (CMD:VAL). If the attacker doesn't use the ':' char the server will crash due to the access to a NULL pointer. From common/netparser.c: pargs_t *parse_command(char **words, int *command, int count) { argtable_t *asp, dummy; char *cp, *tmp, *p; size_t span; ... args = safer_malloc(sizeof(pargs_t)*numargs); cur = 0; for (i=1; i < count && words[i] != NULL && *words[i]; i++) { span = strcspn(words[i], ":"); tmp = strchr(words[i], ':'); tmp++; ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/genecysbof.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers... the game seems no longer supported. #######################################################################