Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12074
HistoryApr 04, 2006 - 12:00 a.m.

[Full-disclosure] Format string in Doomsday 1.8.6

2006-04-0400:00:00
vulners.com
21
JSON

#######################################################################

                         Luigi Auriemma

Application: Doomsday engine
http://www.doomsdayhq.com
http://deng.sourceforge.net
Versions: <= 1.8.6 (and current SVN 1.9.0)
Platforms: Windows, *nix, *BSD, Mac and others
Bug: format string bug in Con_Message and Con_Printf
Exploitation: remote, versus server and clients
Date: 03 Apr 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

The Doomsday engine is an enhanced and well known open source port of
the original Doom engine and is also one of the most played on
Internet.

#######################################################################

======
2) Bug

The Doomsday engine contains many functions used for the visualization
of the messages in the console.
Both Con_Message and conPrintf are vulnerable to a format string
vulnerability which could allow an attacker to execute malicious code
versus the server or the clients.
The first function calls a "Con_Printf(buffer)" while the second one
calls a "SW_Printf(prbuff)" if SW_IsActive is enabled (which means
ever).

>From Src/con_main.c:

void Con_Message(const char *message, …)
{
va_list argptr;
char *buffer;

    if&#40;message[0]&#41;
    {
            buffer = malloc&#40;0x10000&#41;;

            va_start&#40;argptr, message&#41;;
            vsprintf&#40;buffer, message, argptr&#41;;
            va_end&#40;argptr&#41;;

#ifdef UNIX
if(!isDedicated)
{
// These messages are supposed to be visible in the real console.
fprintf(stderr, "%s", buffer);
}
#endif

            // These messages are always dumped. If consoleDump is set,
            // Con_Printf&#40;&#41; will dump the message for us.
            if&#40;!consoleDump&#41;
                    printf&#40;&quot;&#37;s&quot;, buffer&#41;;

            // Also print in the console.
            Con_Printf&#40;buffer&#41;;

            free&#40;buffer&#41;;
    }
    Con_DrawStartupScreen&#40;true&#41;;

}

void conPrintf(int flags, const char *format, va_list args)
{
unsigned int i;
int lbc; // line buffer cursor
char *prbuff, *lbuf = malloc(maxLineLen + 1);
cbline_t *line;

    if&#40;flags &amp; CBLF_RULER&#41;
    {
            Con_AddRuler&#40;&#41;;
            flags &amp;= ~CBLF_RULER;
    }

    // Allocate a print buffer that will surely be enough &#40;64Kb&#41;.
    // FIXME: No need to allocate on EVERY printf call!
    prbuff = malloc&#40;65536&#41;;

    // Format the message to prbuff.
    vsprintf&#40;prbuff, format, args&#41;;

    if&#40;consoleDump&#41;
            fprintf&#40;outFile, &quot;&#37;s&quot;, prbuff&#41;;
    if&#40;SW_IsActive&#40;&#41;&#41;
            SW_Printf&#40;prbuff&#41;;
...

#######################################################################

===========
3) The Code

Connect with telnet to port 13209 (default) of a DoomsDay server and
type:

JOIN 1234 %n%n%n%n%n%n

The server will crash immediately.

#######################################################################

======
4) Fix

No fix.
No reply from the developers.

#######################################################################

Luigi Auriemma
http://aluigi.altervista.org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON