####################################################################### Luigi Auriemma Application: Kaillera http://www.kaillera.com Versions: <= 0.86 Platforms: Windows, Linux and FreeBSD Bug: buffer-overflow Exploitation: remote, versus server Date: 06 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Kaillera is a middleware software for implementing network capabilities in emulators like MAME, MameLang32+, Bliss, NESten, Jnes, Nemu64, Modeler, Gens, WinUAE, PCAE, Kawaks and possibly others. Although the latest server's version has been released over 4 years ago it's still widely used as demonstrated by the online servers lists. ####################################################################### ====== 2) Bug ====== The handling of almost all the Kaillera messages is made through the reading of the first NULL terminated string and the subsequent reading of the remaining data in the message (its content will be parsed in another step). For these operations Kaillera uses a static buffer of 32 bytes and a data buffer which is reallocated everytime that the size of the client message is bigger than the current allocated size of the buffer. The instructions which handle these types of messages start from about offset 004019f1 of the Windows server 0.86: 004019F1 |. 33C9 XOR ECX,ECX 004019F3 |. 8A06 MOV AL,BYTE PTR DS:[ESI] 004019F5 |. 57 PUSH EDI 004019F6 |. 84C0 TEST AL,AL 004019F8 |. 74 0C JE SHORT KAILLERA.00401A06 004019FA |> 46 /INC ESI 004019FB |. 88440B 04 |MOV BYTE PTR DS:[EBX+ECX+4],AL 004019FF |. 41 |INC ECX 00401A00 |. 8A06 |MOV AL,BYTE PTR DS:[ESI] 00401A02 |. 84C0 |TEST AL,AL 00401A04 |.^75 F4 \JNZ SHORT KAILLERA.004019FA 00401A06 |> 8B6C24 18 MOV EBP,DWORD PTR SS:[ESP+18] 00401A0A |. C64419 04 00 MOV BYTE PTR DS:[ECX+EBX+4],0 00401A0F |. 2BE9 SUB EBP,ECX 00401A11 |. 8BCB MOV ECX,EBX 00401A13 |. 83ED 02 SUB EBP,2 00401A16 |. 55 PUSH EBP 00401A17 |. E8 D4FCFFFF CALL KAILLERA.004016F0 00401A1C |. 8B7B 24 MOV EDI,DWORD PTR DS:[EBX+24] 00401A1F |. 8BCD MOV ECX,EBP 00401A21 |. 8BD1 MOV EDX,ECX 00401A23 |. 46 INC ESI 00401A24 |. C1E9 02 SHR ECX,2 00401A27 |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> which can be translated (plus or less) in C like the following code: static char nick[32], *data; ... int nick_size, data_size; for(nick_size = 0; *client_msg; nick_size++, client_msg++) { nick[nick_size] = *client_msg; } nick[nick_size] = 0; client_msg++; data_size = (client_msg_size - nick_size) - 2; data = 004016f0(data_size); // realloc data if needed memcpy(data, client_msg, data_size); ... 004016f0(int size) { if(size <= data_alloc_size) return; do { data_alloc_size <<= 1; } while(size > data_alloc_size); data = realloc(data, data_alloc_size); } If an attacker uses a nickname longer than 32 bytes he can overwrite the address of the data buffer and the value in which is stored its current allocated size, the following scheme shows that piece of memory: ooooooooooooooooooooooooooooooooXXXXYYYY | | | | | amount of data currently allocated | pointer to the data buffer static buffer of 32 bytes With the overwriting of YYYY we can bypass the first check made by the function at offset 004016f0 which does a realloc of the buffer if needed since we control the current allocated size and then we can decide where copying the rest of our message in the memory of the server since the address of data XXXX is controlled by us too. That leads to the possibility of executing malicious code. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/kailleraex.zip ####################################################################### ====== 4) Fix ====== The developers will release a new version soon #######################################################################