Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   Typespeed Vendors:   Ollikainen, Jani
Typespeed Game Buffer Overflow in Networking Code Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006987
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2003
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 0.4.1 and prior versions
Description:   A vulnerability was reported in the Typespeed typing game software. A remote user can gain root privileges on the system.

Bazarr reported that a buffer overflow resides in the net_swapscore() function in the 'network.c' file. A remote user can reportedly overflow the heap and execute arbitrary code when the game is used in network mode.

[Editor's note: The vendor's Readme file indicates that the network mode is "buggy."]

Impact:   A remote user can execute arbitrary code with the privileges of the user running Typespeed.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 17 2003 (Debian Issues Fix) Typespeed Game Buffer Overflow in Networking Code Lets Remote Users Execute Arbitrary Code
Debian has released a fix.

 Source Message Contents


Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

read da attached advisory for remote vulnerability in popular used application. 

Content-Type: text/plain; name=bazarr-episode-5.txt
Content-Transfer-Encoding: 7bit
Content-Disposition: ATTACHMENT; filename=bazarr-episode-5.txt

/* typespeed server <=v0.4.1 remote root vulnerability!			*/
/* by: bazarr								*/
/*							*/
/* bazarr episode #5							*/


>caddis< i just be messing wid you man relax 
--- caddis :No such nick/channel

after reading tutorial on html programmering , i have redesigned website it now cover all features of real website.
it have many a cool content now! 

after a long series of elaborate emails wid lcamtuf it has become apparent dat it is up to me and him to save full disclosure from
we are forming a group called FHAB or fire hot asian boys(it a house hold name). at the moment it is me lcamtuf and a half mexican
 from alaska-
who just idles in #!FHAB all day long. tuf in da process of auditing many a opensshd functions while i be auditing many a setgid uucp
 true64 applications. 
together we form ultimate team and we able to find all blackhat bugs around da entire globe and stop dem from hacking anymore openbsd

dis be an advisory for remote typespeed vulnerability on debian x.x and everyone else around da world.

lets take a look at man page output:

       Typespeed gives your fingers' cps (total and correct), typoratio and some points to compare with your friends.
       Typespeed's idea is ripped from ztspeed (a dos game made by Zorlim). Idea of the game should be clear to anyone, just type
 and type it fast, or be a lewser.

       Notice:  the  speed  of words going across the screen has been changed in version 0.4.0. Scores are not comparable with older
 versions now. See the README file for more
       detailed information.

now many a security researcher may remember dat martin@debian security team released advisory for typespeed and he got rid of all
 buffer overflows 
in typespeed. WRONG. typespeed did have many a command line overflows but a glance at da source code and i spot elaborate remote buffer
 overflow bug.

now we all know dat typespeed was science project for college student who now is off at programming job and dont care about typespeed
so he cannot be expected to deliver patch for typespeed. it is up to debian to deliver da patch. i be glad he got B+ for typespeed

lets take a look at terminal session for a second: 

thuglife@debian$ pwd
thuglife@debian$ ls -al /usr/games/typespeed 
-rwxr-sr-x    1 root     games       32092 Jan  4  2002 /usr/games/typespeed

now some of you thinking dat 'oh wow another gid games bug , go audit qpopper or somthing you jackass' 
and to that i say: 
shut up high on PCP voice in my head, because dis is remote gid games not local! and i'll audit qpopper when i finish UNP (not including
 xti part) 


dis be a remote gid games bug , it 0day too so you be able to hack many a boxes wid it. 

now i am off to da land of source code where der be many a nice bugs to take care of and 
release back into wild where dey can roam free from blackhat abuse.  dis be a copy and paste out of my bug file 
(it encrypted so dont hack my box to steal dis unless you can break rot96 devloped by me) 


file: /usr/games/typespeed , remote bug martin missed

src location: network.c

code snip:

void net_swapscore(int typesock, stats_struct *stat,stats_struct *stat2)

        char buf[60];
        int x,i;
        char *temp,*temp2;
        char *number;

        sprintf(buf,"SCORE: %d %f %f %f\n",stat->score,stat->speed,stat->totalspeed,stat->ratio);

        i=send(typesock, buf, strlen(buf), 0);

        strcpy(buf,"                                                           "); //HACKLOG what da hell is dis!
        while(1) {

                i = recv(typesock, buf, 59, MSG_PEEK);
                if (i == -1 && errno != EWOULDBLOCK) {
                if (i > 0) {
                        recv(typesock, buf, strlen(buf) + 1, 0);
                        if(strstr(buf,"SCORE:") > 0) {

        number=malloc(10*sizeof(char)); //HACKLOG dis mallocs ten cuz sizeof(char) garonteed to be 1 byte (it 2 bytes on mips i dink)
        temp=malloc(80*sizeof(char));	//HACKLOG dis mallocs 80 

        for(x=7;x<=strlen(buf);x++) {
          temp[i]=buf[x]; //HACKLOG temp 80 bytes so it can hold big 59 byte buf

        strncpy(number,temp,strcspn(temp," ")); //HACKLOG strncpy so it secure 
        stat2->score=strtol(number, NULL, 10);	//HACKLOG WAIT , STRNCPY BUT IT USE STRCSPN , WHAT DA HELL IS STRCSPN


after period of 9 hours studying strcspn() manpage i am able to report dat der be a buffer overflow in typespeed. 
here copy and paste of strcspn() manpage:

       size_t strcspn(const char *s, const char *reject);
       The strcspn() function calculates the length of the initial segment of s which consists entirely of characters not in reject.

dis mean dat we can overflow buffer 'number' with buffer 'temp' which is buffer 'buf' and buffer 'buf' is 60 bytes while buffer number
 is 10. 
dis mean dat we have heap overflow on our hands and dis is serious issue. ALPHA TANGO WHISKY NINER WE GOT A CODE ZERO BUFFER OVEFLOW
see i prove dat just cuz author use strncpy does not mean dat he secure from attack of buf too big attack. 


too many a bugs in typespeed to patch dis year , sorry!
but if you really want to den go talk to martin , it his job not mine!
i just report da bugs not patch dem, i am like mean bus driver i wont help you if im on my lunch break!


it possible to code xploit using small read code but i not wasting time on dis sorry. 


dis aint my job! 


debian 3.0 - default install!#$
FreeBSD - ports?
NetBSD - ports?
OpenBSD - ports?

all user who have typespeed installed. (whole globe)


irix you in trouble in next episode(lsd not only kid on block wid commerical unix!) 

would you belive dat der has been patches buy deb team wich actually added locally xploitable bugs to gain root on multiple distros
it may be too early in bazarr season to discuss dis issue , sorry! it confidential! 

debian be a great gnu linux distro despite security holes. it wonderful. i use it forever. 


irc-bazarr - hello der fake bazarr's , i know you must like me very much to imposter me so i give you a greet.
remember dat da real bazarr (me) NEVER uses public irc under name 'bazarr'. i am sorry for abuse caused by fake bazarrs
but dat aint me sorry. fake bazarrs include: some guy from free shell provider and bell somthing. 

yourname - send me email and i pick a random name to be put in here!

realbazarr - it amazing dat young boy wid twinkle in his eye and foot in his ass can gain so much fame so quickly. 

documentry - im sad to report dat ring member documentry has to come to an end because dave censor too much. 
dat mean you missing many a cool ring member captures such as da palmers capture which prove he a wild one. 

*palmers* i cannot get rid of the impression that you are the only one who knows about your ring
>palmers< ok you playing hard ball
>palmers< i can be your best friend or your worst enemy
>palmers< its a long cold road to travel down
*palmers* oh, what do you mean by that?
>palmers< nothing i just kidding!


remember dat i am constantly working on more and more bleeding edge security vulnerablitys for dis communtity. 
it a change from my-hello-world-ftpd fmt string and cross site scripting vulnerabilitys reported by 24 year old
i be exposing more buffer too big attacks , int too big attacks , the revolutionary int too small attack, and the very private 
size_t -1 attack which will be discussed in detail very very soon in a paper i be writing intitled "Is my buffer too small?" and 
will be placed in /misc on my wonderful website , so plz check dat often!

bye guys i have to go now it has been fun. though it time for me to 
clean my room and feed my ginnie pig named fuzbal , the class let me take him home for a week,
but i never give him back. never. 




Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC