The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow and NULL Pointer Crash in Genecys
------------------------------------------------------------------------
SUMMARY
Genecys is an open source MMORPG project.
There are two remotely exploitable vulnerabilities discovered in Genecys.
DETAILS
Vulnerable Systems:
* Genecys versions 0.2 and prior.
tell_player_surr_changes buffer-overflow:
The function tell_player_surr_changes is affected by a buffer-overflow
which could allow an attacker to execute malicious code. The problem is
caused by the usage of sprintf and strcat on buffers of 256 bytes.
From server/player.c:
int tell_player_surr_changes(event_t *event)
{
pl_known_t *known, *knext;
object_t *obj;
char buf[256], buf2[256],b2[40];
obj = event->initiator;
for (known=TAILQ_FIRST(&obj->pl->known); known != NULL; known = knext)
{
knext = TAILQ_NEXT(known, next);
if (!event->action)
known->lu--;
if (known->bits > 0) {
sprintf(buf, "chob id:%s", uid_sprint(b2, &known->uid));
if (known->bits & PLKN_NROF) {
sprintf(buf2, " nrof:%d", known->nrof);
strcat(buf, buf2);
}
if (known->bits & PLKN_STATE) {
sprintf(buf2, " st:%d", known->state);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAME) {
sprintf(buf2, " nm:\"%s\"", known->name);
strcat(buf, buf2);
}
if (known->bits & PLKN_NAMEPL) {
sprintf(buf2, " nmp:\"%s\"", known->name_pl);
strcat(buf, buf2);
}
if (known->bits & PLKN_MODEL) {
sprintf(buf2, " mdl:\"%s\"", known->model);
strcat(buf, buf2);
}
...
Note: has not been possible to test this bug in practice due to some
problems while running my test server.
parse_command NULL pointer crash:
The function which parses the commands sent by the client doesn't check
the return value of a strchr call used for parsing the commands and their
values (CMD:VAL). If the attacker doesn't use the ':' char the server will
crash due to the access to a NULL pointer.
From common/netparser.c:
pargs_t *parse_command(char **words, int *command, int count)
{
argtable_t *asp, dummy;
char *cp, *tmp, *p;
size_t span;
...
args = safer_malloc(sizeof(pargs_t)*numargs);
cur = 0;
for (i=1; i < count && words[i] != NULL && *words[i]; i++) {
span = strcspn(words[i], ":");
tmp = strchr(words[i], ':');
tmp++;
...
Proof of Concept:
Can be downloaded here:
<http://aluigi.org/poc/genecysbof.zip>
http://aluigi.org/poc/genecysbof.zip
Fix:
No fix.
No reply from the developers... the game seems no longer supported.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at: <http://aluigi.org>
http://aluigi.org
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
