[Full-disclosure] Buffer-overflow in C'Nedra 0.4.0

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 05/26/05

  • Next message: imipak: "Re: [Full-disclosure] Re: Hack Your Credit Card Company (OT)" 
    Date: Thu, 26 May 2005 17:44:59 +0000
To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.grok.org.uk, vuln@secunia.com, red@heisec.de

    #######################################################################

                                 Luigi Auriemma

    Application: C'Nedra
                  http://www.cnedra.org
    Versions: <= 0.4.0
    Platforms: Windows and Unix
    Bug: buffer-overflow in READ_TCP_STRING
    Exploitation: remote, versus server
    Date: 26 May 2005
    Author: Luigi Auriemma
                  e-mail: aluigi@autistici.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    C'Nedra is an open source virtual reality framework for the creation of
    various worlds and applications.

    #######################################################################

    ======
    2) Bug
    ======

    The network plugin is affected by a buffer-overflow in the function
    READ_TCP_STRING() located in game_message_functions.cpp and used to
    read the text strings received from the network.
    First it reads the 32 bit number that specifies the size of the text
    string and then copies it into a local buffer of only 100 bytes
    allowing an attacker to execute malicious code.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/cnedrabof.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    No reply from the developers.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/

  • Next message: imipak: "Re: [Full-disclosure] Re: Hack Your Credit Card Company (OT)"

    Relevant Pages

    • [Un] Unangband 0.6.3 released
      ... Allow player to assemble friendly monsters and carry eggs to hatch ... Updated druidic spells to use new region code. ... Fix lockup bugs generating the Old Forest. ... Fix bug where items dropped by monster death would infinitely ...
      (rec.games.roguelike.announce)
    • please pull from the trivial tree
      ... Fix spelling in E1000_DISABLE_PACKET_SPLIT Kconfig description ... +- Finding patch that caused a bug ... +Always try the latest kernel from kernel.org and build from source. ... Length of input string in bytes ...
      (Linux-Kernel)
    • Subterrane v0.194 Alpha Released
      ... system, a character sheet, a ton of new spells, new monsters, item ... Added a character sheet that displays your character's ... Fix: Fixed a bug in the encumbrance calculation and status display ...
      (rec.games.roguelike.announce)
    • Re: Larkin, Power BASIC cannot be THAT good:
      ... If they did not produce a product with *adequate* quality then customers would not buy it and the company would not make a profit. ... it is to change a product in the field, and Y axis is bug density. ... but when the in service fix is almost free to the supplier then they will exploit that to their advantage. ... On-screen programming is pretty much type and ignite and see what ...
      (sci.electronics.design)
    • Unangband 0.6.2-wip7a has been released
      ... This release is mostly a bug fix revision to wip7, however, I was able ... You can now use the run command to 'step' into an adjacent monster, ... The player only suffers a monster disease if the monster disease ... Fix up some animal speech sayings. ...
      (rec.games.roguelike.announce)