####################################################################### Luigi Auriemma Applicazione: Warzone Resurrection http://home.gna.org/warzone/ (Warzone 2100 http://www.strategyplanet.com/warzone2100/) Versioni: <= 2.0.3 d SVN <= 127 Piattaforme: Windows, *nix, *BSD ed altre Bugs: A] buffer-overflow in recvTextMessage B] buffer-overflow in NETrecvFile Exploitation: A] remote, versus server B] remote, versus client Data: 22 Jul 2006 Autore: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduzione 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduzione =============== Warzone 2100 is a well known commercial game developed by Pumpkin Studios and released under the GPL license at the end of 2004. Warzone Resurrection is the project which continues to develop and maintain this game. ####################################################################### ======= 2) Bugs ======= ------------------------------------- A] buffer-overflow in recvTextMessage ------------------------------------- recvTextMessage e' la funzione usata dal server per gestire i messaggi inviati dai clients. Questa funzione utilizza il buffer msg, che ha una grandezza di 256 (MAX_CONSOLE_STRING_LENGTH) bytes, per contenere l'intero messaggio da inviare a tutti gli altri clients usando il formato: player_name : message Il blocco di dati puo' essere di massimo 8000 (MaxMsgSize) bytes quindi un attacker puo' causare un buffer-overflow per far crashare il server od eseguire codice malevolo. Da src/multiplay.c: BOOL recvTextMessage(NETMSG *pMsg) { DPID dpid; UDWORD i; STRING msg[MAX_CONSOLE_STRING_LENGTH]; NetGet(pMsg,0,dpid); for(i = 0; NetPlay.players[i].dpid != dpid; i++); //findplayer strcpy(msg,NetPlay.players[i].name); // name strcat(msg," : "); // seperator strcat(msg, &(pMsg->body[4])); ... --------------------------------- B] buffer-overflow in NETrecvFile --------------------------------- La funzione NETrecvFile usata dai clients per il download di files remoti e' vulnerabile ad un buffer-overflow causato dalla copia di una stringa di massimo 255 bytes nel buffer fileName di soli 128. Da lib/netplay/netplay.c: UBYTE NETrecvFile(NETMSG *pMsg) { UDWORD pos, fileSize, currPos, bytesRead; char fileName[128]; unsigned int len; static PHYSFS_file *pFileHandle; //read incoming bytes. NetGet(pMsg,0,fileSize); NetGet(pMsg,4,bytesRead); NetGet(pMsg,8,currPos); // read filename len = (unsigned int)(pMsg->body[12]); memcpy(fileName,&(pMsg->body[13]),len); ... ####################################################################### =========== 3) The Code =========== A] modificare sendTextMessage usando un messaggio maggiore di 256 bytes B] modificare sendMap usando una mappa maggiore di 128 bytes ####################################################################### ====== 4) Fix ====== SVN 128 #######################################################################