#######################################################################

                             Luigi Auriemma

Application:  Skulltag
              http://www.skulltag.com
Versions:     <= 0.96f
Platforms:    Windows
Bug:          format string
Exploitation: remote, versus server
Date:         23 Apr 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Skulltag is a well known and supported Doom engine mainly based on
Zdoom and focused on online gaming.
Unfortunately it's released as closed source although it uses open
source code.


#######################################################################

======
2) Bug
======


The server is affected by a format string vulnerability exploitable
when a client passes a wrong version string.
The following are the bugged instructions in the 0.96f executable:

* Reference To: MSVCRT.sprintf, Ord:02B2h
                                  |
:004DCCC3 8B3D30415900            mov edi, dword ptr [00594130]
:004DCCC9 8D4C2424                lea ecx, dword ptr [esp+24]
:004DCCCD 50                      push eax      ; client's version
:004DCCCE 51                      push ecx      ; buffer
:004DCCCF FFD7                    call edi      ; sprintf()

translated in:

  sprintf(buffer, version_sent_by_the_client);

The exploitation happens "outside" the server so there are no banning
and password limitations for the attacker.
The only so called obstacle happens when the server is full because it
can't be attacked during this (rare) state.
A note about the possible code execution, the subsequent instructions
use the strupr function which converts almost all the chars in the
string to upper cases.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/skulltagfs.zip


#######################################################################

======
4) Fix
======


The developer has been contacted and has fixed the bug only in his
private development version which will be released probably this
summer.
So there is no fix available.

Fortunately the bug is enough simple to fix so I have created an
unofficial patch which adds the argument "%s" to sprintf.
This solution is enough since is not possible to overflow the buffer
(so no need of snprintf or "%.*s"):

  http://aluigi.org/patches/skulltagfs-fix.zip


#######################################################################