SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Typespeed Vendors:   Ollikainen, Jani
Typespeed Game Buffer Overflow in Networking Code Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006987
SecurityTracker URL:  http://securitytracker.com/id/1006987
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 14 2003
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 0.4.1 and prior versions
Description:   A vulnerability was reported in the Typespeed typing game software. A remote user can gain root privileges on the system.

Bazarr reported that a buffer overflow resides in the net_swapscore() function in the 'network.c' file. A remote user can reportedly overflow the heap and execute arbitrary code when the game is used in network mode.

[Editor's note: The vendor's Readme file indicates that the network mode is "buggy."]

Impact:   A remote user can execute arbitrary code with the privileges of the user running Typespeed.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.sicom.fi/~bestis/typespeed.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Jun 17 2003 (Debian Issues Fix) Typespeed Game Buffer Overflow in Networking Code Lets Remote Users Execute Arbitrary Code
Debian has released a fix.



 Source Message Contents

Subject:  BAZARR THUG LIFE , DONT READ OR VIRUS INFECT YOU


------=_Part_765_15522818.1055455853375
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

read da attached advisory for remote vulnerability in popular used application. 

-bazarr 
------=_Part_765_15522818.1055455853375
Content-Type: text/plain; name=bazarr-episode-5.txt
Content-Transfer-Encoding: 7bit
Content-Disposition: ATTACHMENT; filename=bazarr-episode-5.txt

/* typespeed server <=v0.4.1 remote root vulnerability!			*/
/* by: bazarr								*/
/* bazarr@ziplip.com							*/
/* bazarr episode #5							*/


----------------------
PREFACE

>caddis< i just be messing wid you man relax 
--- caddis :No such nick/channel

after reading tutorial on html programmering , i have redesigned website it now cover all features of real website.
it have many a cool content now!

http://geocities.com/rrazab 

after a long series of elaborate emails wid lcamtuf it has become apparent dat it is up to me and him to save full disclosure from
 blackhats. 
we are forming a group called FHAB or fire hot asian boys(it a house hold name). at the moment it is me lcamtuf and a half mexican
 from alaska-
who just idles in #!FHAB all day long. tuf in da process of auditing many a opensshd functions while i be auditing many a setgid uucp
 true64 applications. 
together we form ultimate team and we able to find all blackhat bugs around da entire globe and stop dem from hacking anymore openbsd
 devlopers. 

dis be an advisory for remote typespeed vulnerability on debian x.x and everyone else around da world.

lets take a look at man page output:

DESCRIPTION
       Typespeed gives your fingers' cps (total and correct), typoratio and some points to compare with your friends.
       Typespeed's idea is ripped from ztspeed (a dos game made by Zorlim). Idea of the game should be clear to anyone, just type
 and type it fast, or be a lewser.

       Notice:  the  speed  of words going across the screen has been changed in version 0.4.0. Scores are not comparable with older
 versions now. See the README file for more
       detailed information.

now many a security researcher may remember dat martin@debian security team released advisory for typespeed and he got rid of all
 buffer overflows 
in typespeed. WRONG. typespeed did have many a command line overflows but a glance at da source code and i spot elaborate remote buffer
 overflow bug.

now we all know dat typespeed was science project for college student who now is off at programming job and dont care about typespeed
 anymore. 
so he cannot be expected to deliver patch for typespeed. it is up to debian to deliver da patch. i be glad he got B+ for typespeed
 though. 

lets take a look at terminal session for a second: 

thuglife@debian$ pwd
/home/thuglife/.elm/pornstash
thuglife@debian$ ls -al /usr/games/typespeed 
-rwxr-sr-x    1 root     games       32092 Jan  4  2002 /usr/games/typespeed
thuglife@debian$ 

now some of you thinking dat 'oh wow another gid games bug , go audit qpopper or somthing you jackass' 
and to that i say: 
shut up high on PCP voice in my head, because dis is remote gid games not local! and i'll audit qpopper when i finish UNP (not including
 xti part) 

...

dis be a remote gid games bug , it 0day too so you be able to hack many a boxes wid it. 

now i am off to da land of source code where der be many a nice bugs to take care of and 
release back into wild where dey can roam free from blackhat abuse.  dis be a copy and paste out of my bug file 
(it encrypted so dont hack my box to steal dis unless you can break rot96 devloped by me) 

#109

file: /usr/games/typespeed , remote bug martin missed

src location: network.c

code snip:

void net_swapscore(int typesock, stats_struct *stat,stats_struct *stat2)
{

        char buf[60];
        int x,i;
        char *temp,*temp2;
        char *number;

        sprintf(buf,"SCORE: %d %f %f %f\n",stat->score,stat->speed,stat->totalspeed,stat->ratio);

        i=send(typesock, buf, strlen(buf), 0);

        strcpy(buf,"                                                           "); //HACKLOG what da hell is dis!
									
        while(1) {

                i = recv(typesock, buf, 59, MSG_PEEK);
                if (i == -1 && errno != EWOULDBLOCK) {
                        endcursestuff();
                        perror("recv()");
                        exit(1);
                }
                if (i > 0) {
                        recv(typesock, buf, strlen(buf) + 1, 0);
                        if(strstr(buf,"SCORE:") > 0) {
                                break;
                        }
                }
        }

        number=malloc(10*sizeof(char)); //HACKLOG dis mallocs ten cuz sizeof(char) garonteed to be 1 byte (it 2 bytes on mips i dink)
 
        temp=malloc(80*sizeof(char));	//HACKLOG dis mallocs 80 

        i=0;
        for(x=7;x<=strlen(buf);x++) {
          temp[i]=buf[x]; //HACKLOG temp 80 bytes so it can hold big 59 byte buf
          i++;
        }


        strncpy(number,temp,strcspn(temp," ")); //HACKLOG strncpy so it secure 
        stat2->score=strtol(number, NULL, 10);	//HACKLOG WAIT , STRNCPY BUT IT USE STRCSPN , WHAT DA HELL IS STRCSPN
        free(number);

	THE REST BE USELESS

after period of 9 hours studying strcspn() manpage i am able to report dat der be a buffer overflow in typespeed. 
here copy and paste of strcspn() manpage:

...
       size_t strcspn(const char *s, const char *reject);
       .... 
DISCRIPTION:
       ...
       The strcspn() function calculates the length of the initial segment of s which consists entirely of characters not in reject.

dis mean dat we can overflow buffer 'number' with buffer 'temp' which is buffer 'buf' and buffer 'buf' is 60 bytes while buffer number
 is 10. 
dis mean dat we have heap overflow on our hands and dis is serious issue. ALPHA TANGO WHISKY NINER WE GOT A CODE ZERO BUFFER OVEFLOW
 IN CODE. 
see i prove dat just cuz author use strncpy does not mean dat he secure from attack of buf too big attack. 

----------------------
PATCH 

too many a bugs in typespeed to patch dis year , sorry!
but if you really want to den go talk to martin , it his job not mine!
i just report da bugs not patch dem, i am like mean bus driver i wont help you if im on my lunch break!

----------------------
XPLOIT

it possible to code xploit using small read code but i not wasting time on dis sorry. 

----------------------
VENDORS NOTIFYED 

dis aint my job! 

----------------------
VENDORS VULNERABLE

debian 3.0 - default install!#$
FreeBSD - ports?
NetBSD - ports?
OpenBSD - ports?

all user who have typespeed installed. (whole globe)

----------------------
ADVANCE WARNING

irix you in trouble in next episode(lsd not only kid on block wid commerical unix!) 

would you belive dat der has been patches buy deb team wich actually added locally xploitable bugs to gain root on multiple distros
 wid?
it may be too early in bazarr season to discuss dis issue , sorry! it confidential! 

debian be a great gnu linux distro despite security holes. it wonderful. i use it forever. 

----------------------
GREETS

irc-bazarr - hello der fake bazarr's , i know you must like me very much to imposter me so i give you a greet.
remember dat da real bazarr (me) NEVER uses public irc under name 'bazarr'. i am sorry for abuse caused by fake bazarrs
but dat aint me sorry. fake bazarrs include: some guy from free shell provider and bell somthing. 

yourname - send me email and i pick a random name to be put in here!

realbazarr - it amazing dat young boy wid twinkle in his eye and foot in his ass can gain so much fame so quickly. 

documentry - im sad to report dat ring member documentry has to come to an end because dave censor too much. 
dat mean you missing many a cool ring member captures such as da palmers capture which prove he a wild one. 

*palmers* i cannot get rid of the impression that you are the only one who knows about your ring
>palmers< ok you playing hard ball
>palmers< i can be your best friend or your worst enemy
>palmers< its a long cold road to travel down
*palmers* oh, what do you mean by that?
>palmers< nothing i just kidding!

----------------------
BYE

remember dat i am constantly working on more and more bleeding edge security vulnerablitys for dis communtity. 
it a change from my-hello-world-ftpd fmt string and cross site scripting vulnerabilitys reported by 24 year old fl4ppyw1lly@hotmail.com.
 
i be exposing more buffer too big attacks , int too big attacks , the revolutionary int too small attack, and the very private 
size_t -1 attack which will be discussed in detail very very soon in a paper i be writing intitled "Is my buffer too small?" and 
will be placed in /misc on my wonderful website , so plz check dat often!

bye guys i have to go now it has been fun. though it time for me to 
clean my room and feed my ginnie pig named fuzbal , the class let me take him home for a week,
but i never give him back. never. 

-bazarr




------=_Part_765_15522818.1055455853375--


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC