[NT] ENet Library Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



ENet Library Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

<http://lists.cubik.org/mailman/listinfo/enet-discuss> ENet is a powerful
open source library for handling UDP connections (it can be defined almost
a sort of TCP over UDP). It is widely used in some games and engines like
Cube, Sauerbraten, Duke3d_w32 and others.

DETAILS

Invalid memory access (32 bit):
ENet uses 32 bit numbers for almost all the parameters in its packets,
like fragments offset, data size, timestamps, challenge numbers and so on.
Each packet received by the library (enet_host_service) is handled by the
enet_protocol_handle_incoming_commands function. This function uses a
pointer (currentData) which points to the current command, each packet can
contain one or more commands which describe operations like a connection
request, an acknowledge, a fragment, a message and more. The instruction
which checks this pointer to avoid that it points over the received packet
can be eluded through a big (negative on 32 bit CPU) header.commandLength
parameter. After having bypassed the check currentData will point to an
invalid zone of the memory and when the cycle will continue on the
subsequent command (commandCount must be major than one) the application
will crash.

64 bit CPUs should be not vulnerable.

From enet_protocol_handle_incoming_commands in protocol.c:
...
currentData = host -> receivedData + sizeof (ENetProtocolHeader);

while (commandCount > 0 &&
currentData < & host -> receivedData [host ->
receivedDataLength])
{
command = (ENetProtocol *) currentData;
if (currentData + sizeof (ENetProtocolCommandHeader) > & host ->
receivedData [host -> receivedDataLength])
return 0;

command -> header.commandLength = ENET_NET_TO_HOST_32 (command ->
header.commandLength);
if (currentData + command -> header.commandLength > & host ->
receivedData [host -> receivedDataLength])
return 0;

-- commandCount;
currentData += command -> header.commandLength;
...

Allocation abort with fragment:
ENet supports also the handling of fragments used to build the messages
bigger than the receiver's MTU. When a fragment is received the library
allocates the total message size in memory so it can easily rebuild all
the subsequent fragments in this buffer.
If the total data size specified by the attacker cannot be allocated, the
library calls abort() and all the program terminates.

From enet_protocol_handle_send_fragment in protocol.c:
...
startCommand = enet_peer_queue_incoming_command (peer,
& hostCommand,
enet_packet_create
(NULL, totalLength, ENET_PACKET_FLAG_RELIABLE),
fragmentCount);


The Code:
<http://aluigi.altervista.org/poc/enetx.zip>
http://aluigi.altervista.org/poc/enetx.zip

Fix:
No fix.
No reply from the developers.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at: <http://aluigi.altervista.org>
http://aluigi.altervista.org



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages