Jason Boettcher Liero Xtreme格式化字符串漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1195824 漏洞类型 格式化字符串
发布时间 2006-03-08 更新时间 2006-03-09
CVE编号 CVE-2006-1075 CNNVD-ID CNNVD-200603-119
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006030046
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200603-119
|漏洞详情
在JasonBoettcherLieroXtreme0.62b及其早期版本中存在可视化函数中的格式化字符串漏洞,远程攻击者可以通过以下途径执行任意代码:在(1)一个别名,(2)一个专用服务器名,或(3)在级别(aka.lxl)文件中的地图名称中的格式化字符串限定符。
|漏洞EXP
#######################################################################

Luigi Auriemma

Application:  Liero Xtreme
              http://lieroxtreme.thegaminguniverse.com
Versions:     <= 0.62b
Platforms:    Windows
Bugs:         A] server crash/freeze
              B] format string in the visualization function
Exploitation: A] remote, versus server
              B] local/remote, versus clients
Date:         06 Mar 2006
Author:       Luigi Auriemma
              e-mail: aluigi (at) autistici (dot) org [email concealed]
              web:    http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Liero Xtreme (aka Lierox) is a freeware clone of the classic DOS game
called Liero, and is mainly focused on the possibility of expanding and
customizing the game through mods, levels and skins.
Both LAN and Internet multiplayer (through the master server) are
supported.

#######################################################################

=======
2) Bugs
=======

----------------------
A] server crash/freeze
----------------------

The server can be easily crashed or freezed using a long string with
the "connect" command.
The problem is caused by the instructions used by the game for handling
the data of this command which in some cases lead to the immediate
crash of the server or a loop which freezes the game.

----------------------------------------------
B] format string in the visualization function
----------------------------------------------

The client's function which visualizes the messages on the screen
(0x004052d0) is affected by a format string vulnerability which can be
used to execute malicious code.
Exist different ways for exploiting this bug but the most interesting
are the following:
- joining a server using a properly formatted nickname (like %n%n%n%n
  or %02000x) which will be visualized by all the clients currently in
  the server and all the others which will join when the attacker is
  playing.
  In this type of exploitaion if the server is protected by password
  the attacker must know the right keyword.
- hosting a dedicated server visible on the master server (default)
  with a formatted name, so any client which will enter in the "Join
  Internet Server" menu will be exploited immediately.
- creating a level file (.lxl extension) with a properly formatted
  mapname.
  Due to the leaning of the game for modding this exploitation is very
  good too.

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/lieroxxx.zip

For the bug B my proof-of-concept exploits only the first method I have
explained, for the other two is enough to:

- open the configconfig.cfg file and add %03000x where is specified
  the server's name (Server.Name) and then launch the dedicated server
- take the "userdatalevelsDirt Level.lxl" file and overwrite the
  bytes at offset 36 with the string %03000x

#######################################################################

======
4) Fix
======

No fix.
No reply from the developers.

#######################################################################

--- 
Luigi Auriemma
http://aluigi.altervista.org
|参考资料

来源:BUGTRAQ
名称:20060306MultiplevulnerabilitiesinLieroXtreme0.62b
链接:http://www.securityfocus.com/archive/1/archive/1/426864/100/0/threaded
来源:VUPEN
名称:ADV-2006-0849
链接:http://www.frsirt.com/english/advisories/2006/0849
来源:MISC
链接:http://aluigi.altervista.org/adv/lieroxxx-adv.txt
来源:XF
名称:liero-visualization-format-string(25187)
链接:http://xforce.iss.net/xforce/xfdb/25187
来源:BID
名称:16990
链接:http://www.securityfocus.com/bid/16990
来源:SREASON
名称:549
链接:http://securityreason.com/securityalert/549
来源:SECUNIA
名称:19079
链接:http://secunia.com/advisories/19079