[NEWS] Doomsday Format String



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Doomsday Format String
------------------------------------------------------------------------


SUMMARY

The <http://www.doomsdayhq.com/> Doomsday engine is an enhanced and well
known open source port of the original Doom engine and is also one of the
most played on Internet.

Doomsday engine is vulnerable to a Format String vulnerability, allowing
remote code execution on the server or connected clients.

DETAILS

The Doomsday engine contains many functions used for the visualization of
the messages in the console. Both Con_Message and conPrintf are vulnerable
to a format string vulnerability which could allow an attacker to execute
malicious code versus the server or the clients. The first function calls
a "Con_Printf(buffer)" while the second one calls a "SW_Printf(prbuff)" if
SW_IsActive is enabled (which means ever).

Proof of concept:
Connect with telnet to port 13209 (default) of a DoomsDay server and type:
JOIN 1234 %n%n%n%n%n%n
The server will crash immediately.

Vulnerable code (Src/con_main.c):
void Con_Message(const char *message, ...)
{
va_list argptr;
char *buffer;

if(message[0])
{
buffer = malloc(0x10000);

va_start(argptr, message);
vsprintf(buffer, message, argptr);
va_end(argptr);

#ifdef UNIX
if(!isDedicated)
{
// These messages are supposed to be visible in
the real console.
fprintf(stderr, "%s", buffer);
}
#endif

// These messages are always dumped. If consoleDump is
set,
// Con_Printf() will dump the message for us.
if(!consoleDump)
printf("%s", buffer);

// Also print in the console.
Con_Printf(buffer);

free(buffer);
}
Con_DrawStartupScreen(true);
}

..

void conPrintf(int flags, const char *format, va_list args)
{
unsigned int i;
int lbc; // line buffer cursor
char *prbuff, *lbuf = malloc(maxLineLen + 1);
cbline_t *line;

if(flags & CBLF_RULER)
{
Con_AddRuler();
flags &= ~CBLF_RULER;
}

// Allocate a print buffer that will surely be enough (64Kb).
// FIXME: No need to allocate on EVERY printf call!
prbuff = malloc(65536);

// Format the message to prbuff.
vsprintf(prbuff, format, args);

if(consoleDump)
fprintf(outFile, "%s", prbuff);
if(SW_IsActive())
SW_Printf(prbuff);
...

Fix:
No fix, no reply from the developers.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/doomsdayfs-adv.txt>
http://aluigi.altervista.org/adv/doomsdayfs-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] McAfee WebShield SMTP Format String
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A format string vulnerability exists within the McAfee WebShield SMTP ...
    (Securiteam)
  • [NT] Lst Network Print Server Format String and Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lst Network Print Server Format String and Buffer Overflow ...
    (Securiteam)
  • [NEWS] Format String in Netrek
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Format String in Netrek ... A format string vulnerability was discovered in the Netrek game server. ...
    (Securiteam)
  • [NEWS] Sparklet Format String
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... using a format string vulnerability in Sparklet. ... The game is affected by a format string vulnerability located in the ... Through this bug an attacker on a server or a client (the server is not ...
    (Securiteam)
  • [UNIX] Dropbear SSH Server Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remotely exploitable format string vulnerability exists in the default ... configuration of the Dropbear SSH Server up until version 0.35, ... will fail before the vulnerable code is executed, but the methodname may ...
    (Securiteam)