Warzone Resurrection recvTextMessage函数基于堆栈的缓冲区溢出

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1194016 漏洞类型 缓冲区溢出
发布时间 2006-07-25 更新时间 2006-08-28
CVE编号 CVE-2006-3849 CNNVD-ID CNNVD-200607-412
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006070120
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-412
|漏洞详情
Warzone2100和WarzoneResurrection2.0.3及之前版本存在基于堆栈的缓冲区溢出。远程攻击者可以借助(1)由multiplay.c中的recvTextMessage函数处理的长消息,或(2)由netplay/netplay.c中的NETrecvFile函数处理的长文件名,执行任意代码。
|漏洞EXP
#######################################################################

Luigi Auriemma

Application:  Warzone Resurrection
              http://home.gna.org/warzone/
              (Warzone 2100 http://www.strategyplanet.com/warzone2100/)
Versions:     <= 2.0.3 and SVN <= 127
Platforms:    Windows, *nix, *BSD and others
Bug:          A] buffer-overflow in recvTextMessage
              B] buffer-overflow in NETrecvFile
Exploitation: A] remote, versus server
              B] remote, versus client
Date:         22 Jul 2006
Author:       Luigi Auriemma
              e-mail: aluigi (at) autistici (dot) org [email concealed]
              web:    aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Warzone 2100 is a well known commercial game developed by Pumpkin
Studios and released under the GPL license at the end of 2004.
Warzone Resurrection is the project which continues the development and
the maintaining of this game.

#######################################################################

======
2) Bug
======

-------------------------------------
A] buffer-overflow in recvTextMessage
-------------------------------------

recvTextMessage is the function used by the server for handling the
text messages sent by the clients.
This function uses the msg buffer, which has a size of 256
(MAX_CONSOLE_STRING_LENGTH) bytes, for containing the entire message to
send to all the other clients using the following format:

player_name : message

The size of the data block can be max 8000 (MaxMsgSize) bytes so an
attacker can cause a buffer-overflow for crashing the server or
executing malicious code.

From src/multiplay.c:

BOOL recvTextMessage(NETMSG *pMsg)
{
    DPID    dpid;
    UDWORD  i;
    STRING  msg[MAX_CONSOLE_STRING_LENGTH];

NetGet(pMsg,0,dpid);
    for(i = 0; NetPlay.players[i].dpid != dpid; i++);
//findplayer

strcpy(msg,NetPlay.players[i].name);
// name
    strcat(msg," : ");
// seperator
    strcat(msg, &(pMsg->body[4]));
    ...

---------------------------------
B] buffer-overflow in NETrecvFile
---------------------------------

The NETrecvFile function used by the clients for downloading remote
files is affected by a buffer-overflow caused by the copying of a
string of max 255 bytes in the fileName buffer of only 128 bytes.

From lib/netplay/netplay.c:

UBYTE NETrecvFile(NETMSG *pMsg)
{
    UDWORD          pos, fileSize, currPos, bytesRead;
    char            fileName[128];
    unsigned int        len;
    static PHYSFS_file  *pFileHandle;

//read incoming bytes.
    NetGet(pMsg,0,fileSize);
    NetGet(pMsg,4,bytesRead);
    NetGet(pMsg,8,currPos);

// read filename
    len = (unsigned int)(pMsg->body[12]);
    memcpy(fileName,&(pMsg->body[13]),len);
    ...

#######################################################################

===========
3) The Code
===========

A]
modify sendTextMessage using a message of more than 256 bytes

B]
modify sendMap using a map of more than 128 bytes

#######################################################################

======
4) Fix
======

SVN 128

#######################################################################

--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
|参考资料

来源:VUPEN
名称:ADV-2006-2943
链接:http://www.frsirt.com/english/advisories/2006/2943
来源:XF
名称:warzone-netrecvfile-bo(27915)
链接:http://xforce.iss.net/xforce/xfdb/27915
来源:XF
名称:warzone-recvtextmessage-bo(27910)
链接:http://xforce.iss.net/xforce/xfdb/27910
来源:BID
名称:19118
链接:http://www.securityfocus.com/bid/19118
来源:BUGTRAQ
名称:20060723Buffer-overflowinrecvTextMessageandNETrecvFileinWarzoneResurrection2.0.3(SVN127)
链接:http://www.securityfocus.com/archive/1/archive/1/441039/100/0/threaded
来源:GENTOO
名称:GLSA-200608-16
链接:http://www.gentoo.org/security/en/glsa/glsa-200608-16.xml
来源:SECUNIA
名称:21474
链接:http://secunia.com/advisories/21474
来源:MISC
链接:http://aluigi.altervista.org/adv/warzonebof-adv.txt
来源:SREASON
名称:1283
链接:http://securityreason.com/securityalert/1283