Vavoom 'p_thinker.cpp'缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113512 漏洞类型 缓冲区溢出
发布时间 2007-08-24 更新时间 2007-08-27
CVE编号 CVE-2007-4534 CNNVD-ID CNNVD-200708-410
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/30528
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-410
|漏洞详情
Vavoom是Doom游戏的移植。Vavoomp_thinker.cpp文件中的VThinker::BroadcastPrintf()函数存在缓冲区溢出,如果用户发送了超长对话消息的话,就可能导致执行任意代码。str.cpp文件的VStr::Resize()函数存在断言错误,如果用户向服务器的默认26000端口发送了包含有8002ff00十六进制字符的特制UDP报文的话,就可能导致服务器崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/25436/info
  
Vavoom is prone to multiple remote vulnerabilities, including a buffer-overflow issue, a format-string issue, and a denial-of-service issue.
  
An attacker can exploit these issues to execute arbitrary code within the context of the affected application or crash the application, denying service to legitimate users.
  
Vavoom 1.24 is vulnerable; prior versions may also be affected. 

For the buffer-overflow vulnerability, the attacker opens the 'vavoom\basev\doom2\config.cfg' file, and adds the following lines:'alias bof "say aaa...(992_'a's)...aaa" name ''aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'' '
|参考资料

来源:SECUNIA
名称:26554
链接:http://secunia.com/advisories/26554
来源:MISC
链接:http://aluigi.altervista.org/adv/vaboom2-adv.txt
来源:FEDORA
名称:FEDORA-2007-1977
链接:https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00094.html
来源:MISC
链接:https://bugzilla.redhat.com/show_bug.cgi?id=256621
来源:BID
名称:25436
链接:http://www.securityfocus.com/bid/25436
来源:SREASON
名称:3057
链接:http://securityreason.com/securityalert/3057
来源:SECUNIA
名称:26701
链接:http://secunia.com/advisories/26701