#######################################################################

                             Luigi Auriemma

Application:  Tenes Empanadas Graciela (TEG)
              http://teg.sourceforge.net
Versions:     <= 0.11.1
Platforms:    Linux and *BSD
Bug:          off-by-one
Exploitation: remote, versus server
Date:         03 Mar 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Tenes Empanadas Graciela (TEG) is an open source turn based board
game enough similar to Risk.
The game supports also GGZ (http://www.ggzgamingzone.org) for online
gaming.


#######################################################################

======
2) Bug
======


TEG supports nicknames of max 50 chars and automatically adds an
underscore when already exist one or more players with the same
nickname.
The problem is that the server doesn't check all the underscores
previously added to the original nickname leading to an off-by-one
vulnerability which immediately crashes the server.


#######################################################################

===========
3) The Code
===========


Launch two or more clients and use a nickname of 50 chars or send the
following data (with line-feed at the end) with two or more
telnet/netcat to the port 2000 of the server:

player_id=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa,0,0


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.

UPDATE 18 Mar 2006
Current CVS and upcoming version 0.11.2 include a fix.


#######################################################################