[Full-disclosure] Buffer-overflow and crash in FlatFrag 0.3

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 11/02/05

  • Next message: Luigi Auriemma: "[Full-disclosure] Socket termination in Battle Carry .005"
    Date: Wed, 2 Nov 2005 20:46:23 +0100
    To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.grok.org.uk, vuln@secunia.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: FlatFrag
                  http://www.tzi.de/~jfk/projects/flatfrag/
    Versions: <= 0.3
    Platforms: Windows, Linux and more
    Bugs: A] buffer-overflow
                  B] NULL pointer crash
    Exploitation: remote, versus server
    Date: 02 Nov 2005
    Author: Luigi Auriemma
                  e-mail: aluigi@autistici.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bugs
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    FlatFrag is an open source multiplayer tank game developed by Johannes
    Kuhlmann.

    #######################################################################

    =======
    2) Bugs
    =======

    ------------------
    A] buffer-overflow
    ------------------

    The receiver() function in server/loop.c contains 3 buffer-overflow
    caused by the usage of strcpy() for copying the version, the name and
    the model sent by the client to 3 buffers of respectively 64, 32 and 32
    bytes.

    ---------------------
    B] NULL pointer crash
    ---------------------

    When the server receives the NT_CONN_OK command from an unconnected
    client it calls net_on_receive(NULL, NULL) which is a function pointer
    that reads the data contained in the stream passed as second argument.
    The problem is just in the NULL pointers passed to the function which
    lead to the immediate crash of the server.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/flatfragz.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    The bugs will be patched in the next version.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Luigi Auriemma: "[Full-disclosure] Socket termination in Battle Carry .005"

    Relevant Pages