Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13621
HistoryJul 25, 2006 - 12:00 a.m.

Buffer-overflow in recvTextMessage and NETrecvFile in Warzone Resurrection 2.0.3 (SVN 127)

2006-07-2500:00:00
vulners.com
7
JSON

#######################################################################

                         Luigi Auriemma

Application: Warzone Resurrection
http://home.gna.org/warzone/
(Warzone 2100 http://www.strategyplanet.com/warzone2100/)
Versions: <= 2.0.3 and SVN <= 127
Platforms: Windows, *nix, *BSD and others
Bug: A] buffer-overflow in recvTextMessage
B] buffer-overflow in NETrecvFile
Exploitation: A] remote, versus server
B] remote, versus client
Date: 22 Jul 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Warzone 2100 is a well known commercial game developed by Pumpkin
Studios and released under the GPL license at the end of 2004.
Warzone Resurrection is the project which continues the development and
the maintaining of this game.

#######################################################################

======
2) Bug

A] buffer-overflow in recvTextMessage

recvTextMessage is the function used by the server for handling the
text messages sent by the clients.
This function uses the msg buffer, which has a size of 256
(MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to
send to all the other clients using the following format:

player_name : message

The size of the data block can be max 8000 (MaxMsgSize) bytes so an
attacker can cause a buffer-overflow for crashing the server or
executing malicious code.

>From src/multiplay.c:

BOOL recvTextMessage(NETMSG *pMsg)
{
DPID dpid;
UDWORD i;
STRING msg[MAX_CONSOLE_STRING_LENGTH];

NetGet&#40;pMsg,0,dpid&#41;;
for&#40;i = 0; NetPlay.players[i].dpid != dpid; i++&#41;;

//findplayer

strcpy&#40;msg,NetPlay.players[i].name&#41;;

// name
strcat(msg," : ");
// seperator
strcat(msg, &(pMsg->body[4]));

B] buffer-overflow in NETrecvFile

The NETrecvFile function used by the clients for downloading remote
files is affected by a buffer-overflow caused by the copying of a
string of max 255 bytes in the fileName buffer of only 128 bytes.

>From lib/netplay/netplay.c:

UBYTE NETrecvFile(NETMSG *pMsg)
{
UDWORD pos, fileSize, currPos, bytesRead;
char fileName[128];
unsigned int len;
static PHYSFS_file *pFileHandle;

//read incoming bytes.
NetGet&#40;pMsg,0,fileSize&#41;;
NetGet&#40;pMsg,4,bytesRead&#41;;
NetGet&#40;pMsg,8,currPos&#41;;

// read filename
len = &#40;unsigned int&#41;&#40;pMsg-&gt;body[12]&#41;;
memcpy&#40;fileName,&amp;&#40;pMsg-&gt;body[13]&#41;,len&#41;;
...

#######################################################################

===========
3) The Code

A]
modify sendTextMessage using a message of more than 256 bytes

B]
modify sendMap using a map of more than 128 bytes

#######################################################################

======
4) Fix

SVN 128

#######################################################################

Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

JSON