[NEWS] Doomsday Format String
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 4 Apr 2006 11:06:17 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
Doomsday Format String
The <http://www.doomsdayhq.com/> Doomsday engine is an enhanced and well
known open source port of the original Doom engine and is also one of the
most played on Internet.
Doomsday engine is vulnerable to a Format String vulnerability, allowing
remote code execution on the server or connected clients.
The Doomsday engine contains many functions used for the visualization of
the messages in the console. Both Con_Message and conPrintf are vulnerable
to a format string vulnerability which could allow an attacker to execute
malicious code versus the server or the clients. The first function calls
a "Con_Printf(buffer)" while the second one calls a "SW_Printf(prbuff)" if
SW_IsActive is enabled (which means ever).
Proof of concept:
Connect with telnet to port 13209 (default) of a DoomsDay server and type:
JOIN 1234 %n%n%n%n%n%n
The server will crash immediately.
Vulnerable code (Src/con_main.c):
void Con_Message(const char *message, ...)
buffer = malloc(0x10000);
vsprintf(buffer, message, argptr);
// These messages are supposed to be visible in
the real console.
fprintf(stderr, "%s", buffer);
// These messages are always dumped. If consoleDump is
// Con_Printf() will dump the message for us.
// Also print in the console.
void conPrintf(int flags, const char *format, va_list args)
unsigned int i;
int lbc; // line buffer cursor
char *prbuff, *lbuf = malloc(maxLineLen + 1);
if(flags & CBLF_RULER)
flags &= ~CBLF_RULER;
// Allocate a print buffer that will surely be enough (64Kb).
// FIXME: No need to allocate on EVERY printf call!
prbuff = malloc(65536);
// Format the message to prbuff.
vsprintf(prbuff, format, args);
fprintf(outFile, "%s", prbuff);
No fix, no reply from the developers.
The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [TOOL] PIRANA - Email Content Filters Exploitation Framework
- Next by Date: [UNIX] Barracuda Spam Firewall Archiver Vulnerabilities
- Previous by thread: [TOOL] PIRANA - Email Content Filters Exploitation Framework
- Next by thread: [UNIX] Barracuda Spam Firewall Archiver Vulnerabilities