####################################################################### Luigi Auriemma Application: Vavoom http://www.vavoom-engine.com Versions: <= 1.19.1 Platforms: Windows, DOS, *nix, *BSD and more Bugs: A] socket unreachable B] decompression crash Exploitation: remote, versus server and client Date: 26 Mar 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Vavoom is an open source engine based on the GPLed Doom engine with many interesting features. Although it supports multiplayer, it still doesn't have a master server for online gaming. ####################################################################### ======= 2) Bugs ======= --------------------- A] socket unreachable --------------------- The game uses an asyncronous socket through the FIONREAD command. When a packet with no data in it (0 length) or bigger than 4096 bytes (max size supported by the game) is received, the game continues to see and skip ever the same packet which returns 0 or -1 (endless loop) and nobody is able to join and play. The only way to restore the situation is restarting the server. ---------------------- B] decompression crash ---------------------- Exists a buffer-overflow in the handling of the compressed packets. Anyway is not possible (I have found no ways) to exploit it for executing malicious code, so the only effect is the immediate termination of the program. The problem is caused by the lack of checks on the comprLength value passed by the attacker for specifying and limiting the uncompressed size of the compressed data located in the packet. The buffer in which is uncompressed the data is packetBuffer.data of 1024 bytes. From Datagram_GetMessage in source/net_dgrm.cpp: ... uLongf DecomprLength = comprLength; if (uncompress(packetBuffer.data, &DecomprLength, CompressedData, length - NET_HEADERSIZE) != Z_OK) ... ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/vaboom.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. UPDATE 27 Mar 2006 The current CVS fixes the bugs. #######################################################################