Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11964
HistoryMar 27, 2006 - 12:00 a.m.

Multiple vulnerabilities in csDoom 0.7

2006-03-2700:00:00
vulners.com
7
JSON

#######################################################################

                         Luigi Auriemma

Application: client/server Doom (csDoom)
http://voxelsoft.com/csdoom/ (current maintainer)
http://csdoom.sourceforge.net (original author, 2000)
Versions: <= 0.7
Platforms: Windows, *nix, *BSD and more
Bugs: A] buffer-overflow in SV_BroadcastPrintf
B] buffer-overflow in SV_SetupUserInfo
C] format string in Printf
Exploitation: A] remote, versus server
B] remote, versus server
C] remote, versus server and client
Date: 26 March 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

client/server Doom (csDoom) is an open source Doom engine developed by
Sergey Makovkin and based on the ZDoom 1.22 code.
The game is focused on online multiplayer and the latest version has
been released in the far year 2000.

In the 2004/2005 Denis Lukianov decided to continue the development of
this engine focusing moreover on the removing of all the bugs which
caused the death of this software.

Although enough old, this game is still included in the Internet Doom
Explorer (IDE, http://nfdfn.jinr.dubna.su/~bond/csdoom/&#41; server browser
used to retrieve the online servers list of some multiplayer Doom
engine.

#######################################################################

=======
2) Bugs

A] buffer-overflow in SV_BroadcastPrintf

The function SV_BroadcastPrintf is used by the server for sending a
message to all the connected clients.
For example it's used when a client joins the match or when he sends a
chat message.
The buffer used for containing the generated string is composed by
1024 bytes while the input text sent from the attacker can be max 2048
bytes long (MSG_ReadString) allowing possible malicious code execution.

From doomsv/src/sv_main.cpp:

void STACK_ARGS SV_BroadcastPrintf (int level, const char *fmt, …)
{
va_list argptr;
char string[1024];
client_t *cl;

va_start &#40;argptr,fmt&#41;;
vsprintf &#40;string, fmt,argptr&#41;;
va_end &#40;argptr&#41;;
...

B] buffer-overflow in SV_SetupUserInfo

When a player joins the server he sends two text strings which identify
his nickname and teamname.
Both these strings (max 2048 bytes, MSG_ReadString) are copied through
strcpy() in two buffers of 16 bytes.
Anyway these buffers are global, not local, so should be not possible
to use this bug for executing malicious code but only for crashing the
server.

From doomsv/src/sv_main.cpp:

void SV_SetupUserInfo(void)
{
player_t *p;

p = &amp;players[parse_cl];

strcpy&#40;p-&gt;userinfo.netname, MSG_ReadString&#40;&#41; &#41;;
strcpy&#40;p-&gt;userinfo.team, MSG_ReadString&#40;&#41; &#41;;
...

C] format string in Printf

Both client and server have the same format string vulnerability in the
PrintString function (in the instruction "printf (outline);") located
in doom*/src/c_console.cpp.
This function is used for visualizing all the text strings in the
console and in the game screen through the Printf function, widely used
in the engine.
The following code flow should be enough clear:

int STACK_ARGS Printf (int printlevel, const char *format, …)
{
va_list argptr;
int count;

va_start &#40;argptr, format&#41;;
count = VPrintf &#40;printlevel, format, argptr&#41;;
va_end &#40;argptr&#41;;

return count;

}

int VPrintf (int printlevel, const char *format, va_list parms)
{
char outline[8192];

if &#40;gameisdead&#41;
	return 0;

vsprintf &#40;outline, format, parms&#41;;
return PrintString &#40;printlevel, outline&#41;;

}

int PrintString (int printlevel, const char *outline)
{
printf (outline);
return strlen (outline);
}

Note: this bug has been already patched by Denis in the csDoom client.

#######################################################################

===========
3) The Code

http://aluigi.altervista.org/poc/csdoombof.zip

#######################################################################

======
4) Fix

All the bugs have been fixed in the current version (released
yesterday) maintained by Denis:

http://voxelsoft.com/csdoom/

#######################################################################

JSON