Alien Arena 2007远程格式串及拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113576 漏洞类型 格式化字符串
发布时间 2007-09-05 更新时间 2009-02-05
CVE编号 CVE-2007-4754 CNNVD-ID CNNVD-200709-070
漏洞平台 Multiple CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/30566
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200709-070
|漏洞详情
AlienArena2007是基于Quake2引擎的GPL代码所开发的开源第一人称扮演游戏。AlienArena2007在处理畸形的请求数据时存在漏洞,远程攻击者可能利用此漏洞导致拒绝服务或控制系统。AlienArena2007的safe_bprintf函数没有正确地使用cprintf,允许攻击者通过发送畸形的昵称导致执行任意指令。game/acesrc/acebot_cmds.c文件中的漏洞代码如下:voidsafe_bprintf(intprintlevel,char*fmt,...){inti;charbigbuffer[0x10000];intlen;va_listargptr;edict_t*cl_ent;va_start(argptr,fmt);len=vsprintf(bigbuffer,fmt,argptr);va_end(argptr);if(dedicated->value)gi.cprintf(NULL,printlevel,bigbuffer);for(i=0;ivalue;i++){cl_ent=g_edicts+1+i;if(!cl_ent->inuse||cl_ent->is_bot)continue;gi.cprintf(cl_ent,printlevel,bigbuffer);}}在进行查询的时候,游戏服务器会返回很多信息,包括当前的玩家列表及其IP地址等。在获得了这些信息后,攻击者可以向上述IP和端口发送client_connect命令导致断开所有的客户端。
|漏洞EXP
source: http://www.securityfocus.com/bid/25559/info

Alien Arena 2007 is prone to multiple remote vulnerabilities, including a denial-of-service vulnerability and a format-string vulnerability.

Successfully exploiting these issues will allow an attacker to execute arbitrary code within the context of the affected application or to disconnect users from the game server.

Alien Arena 2007 6.10 is vulnerable; other versions may also be affected. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/30566.zip
|参考资料

来源:XF
名称:alienarena-safebprintf-format-string(36463)
链接:http://xforce.iss.net/xforce/xfdb/36463
来源:BID
名称:25559
链接:http://www.securityfocus.com/bid/25559
来源:BUGTRAQ
名称:20070905FormatstringandclientsdisconnectioninAlienArena20076.10
链接:http://www.securityfocus.com/archive/1/archive/1/478628/100/0/threaded
来源:MISC
链接:http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1
来源:OSVDB
名称:40507
链接:http://osvdb.org/40507
来源:FULLDISC
名称:20070905FormatstringandclientsdisconnectioninAlienArena20076.10
链接:http://archives.neohapsis.com/archives/fulldisclosure/2007-09/0049.html
来源:VUPEN
名称:ADV-2007-3169
链接:http://www.frsirt.com/english/advisories/2007/3169
来源:SREASON
名称:3105
链接:http://securityreason.com/securityalert/3105
来源:SECUNIA
名称:26819
链接:http://secunia.com/advisories/26819
来源:MISC
链接:http://aluigi.altervista.org/adv/aa2k7x-adv.txt