[NEWS] BZFlag Server DoS

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



BZFlag Server DoS
------------------------------------------------------------------------


SUMMARY

<http://www.bzflag.org> BZFlag is "a great and well known open source
multiplayer tank game".

BZFlag server can be caused to crash by sending it an undelimited string,
which it in turn badly handles.

DETAILS

Vulnerable Systems:
* BZFlag version 2.0.4 and prior

The callsigns used by the clients are not checked or re-delimited by the
server so is possible for a client to pass a callsign with no NULL bytes
at its end causing problems (crash) to the server during the handling of
this string.

On both Linux and Windows for x86 (using the precompiled packages) the
server crash reached without problems but is possible that in some
configurations the crash could happen after many tries or also never,
depending by how the memory is handled on that platform.

The bug can be exploited also versus password protected servers without
knowing the right keyword.

Proof of Concept:
<http://aluigi.altervista.org/poc/bzflagboom.zip>
http://aluigi.altervista.org/poc/bzflagboom.zip

Fix:
As written in the "Author" field the CVS version has been already patched
from over two months.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at: <http://aluigi.altervista.org>
http://aluigi.altervista.org



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages