####################################################################### Luigi Auriemma Application: odamex http://www.odamex.net Versions: <= odamex 0.2a (SVN 23 Aug 2007) Platforms: Windows is the only one affected Bug: Windows console hell bell bug Exploitation: remote, versus Windows dedicated server Date: 23 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== odamex is a recent source port of the Doom engine mainly focused on multiplayer and moreover security. ####################################################################### ====== 2) Bug ====== The odamex server doesn't limit the chars which can be visualized on the screen. This "lack of limitations" involves both the visualized chars, since is possible to send messages containing invalid chars like the bell, and the amount of the messages. The effect on a Windows dedicated server, which runs in console, is that an attacker playing in it can send many messages containing the byte 0x07 for freezing the server and making the remote system very slow. So not a real bug in odamex but unfortunately on Windows there is this bad side effect caused by the console. ####################################################################### =========== 3) The Code =========== add the following line in odamex.cfg: set beep "???????????...?????" where the '?' chars are 127 occurrences of the byte 0x07 (is possible to insert these chars with a hex editor too). then join a server, go in console and type "say $beep" various times. ####################################################################### ====== 4) Fix ====== I have sent a mail to the developers. UPDATE 05 Sep 2007: bug fixed #######################################################################