Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18114
HistoryOct 04, 2007 - 12:00 a.m.

Two buffer-overflow in FSD V2.052 d9 and FSFDT V3.000 d9

2007-10-0400:00:00
vulners.com
37
JSON

#######################################################################

                         Luigi Auriemma

Application: FSD
http://www.mcdu.com/en/download.php
Versions: <= "V2.052 d9" (original FSD) and "V3.000 d9" (FSFDT FSD)
Platforms: Windows and *nix
Bugs: A] buffer-overflow in exechelp
B] buffer-overflow in execmulticast
Exploitation: remote
Date: 01 Oct 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

FSD is an (the only?) open source Flight Simulator server.
An interesting story about it is available here:

http://www.vatpac.org/administration/history.htm

#######################################################################

=======
2) Bugs

A] buffer-overflow in exechelp

A buffer-overflow vulnerability caused by the usage of strcpy() on a
stack's buffer of 100 bytes is exploitable through the HELP command on
port 3010.

from sysuser.cpp:

void sysuser::exechelp(char **array, int count)
{
int copymode=0, topicmode=0, globalmode=0;
char topic[100],line[100];
char *s=(count>0)?array[0]:(char *)NULL;
if (s) strcpy(topic,s); else

B] buffer-overflow in execmulticast

Another stack buffer-overflow with another buffer of 100 bytes is
exploitable through the sending of various commands to port 6809 which
calls the sendmulticast function.

from servinterface.cpp:

int servinterface::sendmulticast(client *source, char *dest, char *s,
int cmd, int multiok, absuser *ex)
{
client destination=NULL;
char data[1000], servdest[100];

switch (dest[0])
{
case '@': case '':
if (!multiok) return 0;
strcpy(servdest, dest);
break;
default:
sprintf(servdest,"%%%s",dest);

#######################################################################

===========
3) The Code

A]
connect with nc or telnet to port 3010 (sometimes it can be 3011, but
it's easy to recognize since it shows a "FSD>" prompt) and then send:

HELP aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa…(more_than_100_'a's)…aaaa

B]
connect with nc or telnet to port 6809, now you must log in or create a
new user, but seems that all usernames and passwords are available on
port 3011 (or 3012) where they are sent just when you connect:

#AAcallsign::ident:122222:122222:1:9
$PIcallsign:aaaaaaaaaaaaaaaaaaaaaaaaaaaaa…(more_than_100_'a's)…aaaa

(in the above example the first 122222 is the CID and the second one is
the password)

#######################################################################

======
4) Fix

No fix.
No reply from the current maintainers (MCDU).

#######################################################################

Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

JSON