#######################################################################

                             Luigi Auriemma

Application:  Mtp-Target
              http://www.mtp-target.org
Versions:     <= 1.2.2
Platforms:    Windows and Linux
Bugs:         A] clients format string
              B] server crash
Exploitation: remote, versus both server and clients
Date:         01 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Mtp-Target is a nice open source and multiplatform clone of the Monkey
Target minigame and uses the NeL library
(http://www.nevrax.org/tiki-index.php?page=NeL).


#######################################################################

=======
2) Bugs
=======

------------------------
A] clients format string
------------------------

The clients of the game are affected by a format string during the
visualization of the messages received from the other users or of any
other text that appears in the upper console.
With a single message an attacker is able to exploit all the clients
connected to a server.


---------------
B] server crash
---------------

This bug is located in the NeL library but after some tests made by the
NeL developers seems that only Mtp-Target is vulnerable (probably
because the pre-compiled versions use an old version of the library,
the mistery has not been solved).

Anyway there is a signed comparison that verifies if the amount of
memory to allocate (a parameter passed by the client) is major than
1000000 bytes. If an attacker passes a negative value the check is
bypassed and the system tries to allocate this huge amount of memory
through a call to STLport.
The result is an exception that terminates the server.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/mtpbugs.zip


#######################################################################

======
4) Fix
======


No fix.

I was in contact with the developers of this game (that have also a
public game server) but I have no longer received replies from them, so
don't have idea if and when a patch will be released.


#######################################################################