Netrek 2.12.0 - 'pmessage2()' Remote Limited Format String

EDB-ID:

3399


Platform:

Windows

Published:

2007-03-02

#######################################################################

                            Luigi Auriemma
Application:  Netrek
              http://www.netrek.org
Versions:     <= 2.12.0 (Vanilla server)
Platforms:    *nix and Windows
Bug:          format string
Exploitation: remote (in-game)
Date:         02 Mar 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Netrek is a well known real-time strategy game inspired to Star Trek.

#######################################################################

======
2) Bug
======

The Vanilla server is affected by a format string vulnerability caused
by the calling of the pmessage2() function without the needed format
argument.

The bug is located in new_warning() and can be exploitated through the
locking of a player (the same attacker too) who is using a malformed
nickname.

Note that the EVENTLOG switch must be enabled for exploiting this
vulnerability (default is disabled).

from ntserv/warning.c:

void new_warning(int index, const char *fmt, ...) {

 char temp[150];

 va_list args;
 va_start(args, fmt);

 vsprintf(temp, fmt, args);

 ...

 if (eventlog) {

   char from_str[9]="WRN->\0\0\0";

   strcat(from_str, me->p_mapchars);
   pmessage2(0, 0, from_str, me->p_no, temp);
 }


#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/netrekfs.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/3399.zip (03022007-netrekfs.zip)

#######################################################################

======
4) Fix
======

Version 2.12.1

#######################################################################


# milw0rm.com [2007-03-02]