####################################################################### Luigi Auriemma Applicazione: GNE - Game Networking Engine http://www.gillius.org/gne/ Versioni: <= 0.70 e CVS <= 23 Jul 2006 Piattaforme: Windows, *nix, *BSD, Mac ed altre Bug: format string bug in the gout console output Exploitation: remoto Data: 24 Jul 2006 Autore: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduzione 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduzione =============== GNE e' una libreria di rete pensata per i giochi. ####################################################################### ====== 2) Bug ====== L'output della console gestito dalla libreria (gout) e' affetto da una vulnerabilita' di tipo format string che puo' essere sfruttata se il programma principale mostra i dati inviati dai clients sulla console gout. Il problema e' causato dall'assenza della stringa di formato "%s" sia in mlprintf che mprintf. Da ConsoleStreambuf.cpp: void goutbuf::flush_output() { //We always have a space for the null pointer because we reserved an //extra position when we called setp, and we do so again at the end of //this function. if (pptr() > pbase()) { *pptr() = '\0'; if (x != -1) { //Do a mlprintf if a location was set. assert(y != -1); Console::mlprintf(x, y, pbase()); x = y = -1; //Unset last location. } else Console::mprintf(pbase()); setp(buf, buf + OBUF_LEN - 1); } ####################################################################### =========== 3) The Code =========== proof-of-concept non disponibile ####################################################################### ====== 4) Fix ====== CVS 24 Jul 2006 #######################################################################