Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Skulltag Format String

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Skulltag Format String
Date: 1 May 2006 14:10:18 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Skulltag Format String
------------------------------------------------------------------------


SUMMARY

 <http://www.skulltag.com> Skulltag is a well known and supported Doom 
engine mainly based on Zdoom and focused on online gaming. Unfortunately 
it's released as closed source although it uses open source code.

The server is affected by a format string vulnerability which is 
exploitable when a client passes a wrong version string.

DETAILS

Vulnerable Systems:
 * Skulltag versions 0.96f and prior.

The following are the bugged instructions in the 0.96f executable:
* Reference To: MSVCRT.sprintf, Ord:02B2h
                                  |
:004DCCC3 8B3D30415900    mov edi, dword ptr [00594130]
:004DCCC9 8D4C2424            lea ecx, dword ptr [esp+24]
:004DCCCD 50                        push eax      ; client's version
:004DCCCE 51                        push ecx      ; buffer
:004DCCCF FFD7                     call edi      ; sprintf()

traduced in:
sprintf(buffer, version_sent_by_the_client);

The exploitation happens "outside" the server so there are no banning and 
password limitations for the attacker. The only so called obstacle happens 
when the server is full because it can't be attacked during this (rare) 
state. A note about the possible code execution, the subsequent 
instructions use the strupr function which converts almost all the chars 
in the string to upper cases.

Proof of concept:
 <http://aluigi.altervista.org/poc/skulltagfs.zip> 
http://aluigi.altervista.org/poc/skulltagfs.zip

Patch Availability:
The developer has been contacted and has fixed the bug only in his private 
development version which will be released probably this summer. So there 
is no fix available.

Fix:
Fortunately the bug is enough simple to fix so Luigi have created an 
unofficial patch which adds the argument "%s" to sprintf. This solution is 
enough since is not possible to overflow the buffer (so no need of 
snprintf or "%.*s"):
 <http://aluigi.altervista.org/patches/skulltagfs-fix.zip> 
http://aluigi.altervista.org/patches/skulltagfs-fix.zip


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Skulltag Format String, SecuriTeam <=
Previous by Date:  [NT] Symantec Scan Engine Multiple Vulnerabilities, SecuriTeam
Next by Date:  [TOOL] RFIDIOt - RFID IO Tools, SecuriTeam
Previous by Thread:  [NT] Symantec Scan Engine Multiple Vulnerabilities, SecuriTeam
Next by Thread:  [TOOL] RFIDIOt - RFID IO Tools, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]