SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Soldner - Secret Wars Vendors:   JoWood Productions
Soldner - Secret Wars Various Bugs Let Remote Users Execute Arbitrary Code, Deny Service, and Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012790
SecurityTracker URL:  http://securitytracker.com/id/1012790
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 6 2005
Impact:   Denial of service via network, Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): 30830 and prior versions
Description:   Luigi Auriemma reported several vulnerabilities in the 'Soldner - Secret Wars' game software. A remote user can execute arbitrary code on the game server. A remote user can also cause denial of service conditions or conduct cross-site scripting attacks.

A remote user can send a UDP packet with 1401 or more bytes to the target system to cause the listening socket to terminate. A demonstration exploit is available at:

http://aluigi.altervista.org/poc/soldnersock.zip

A remote user can send a message to the target game server containing format string characters to cause the game service to crash or potentially execute arbitrary code.

The administrative web interface log display does not properly filter HTML code from the server logs. A remote user can send a specially crafted message that will be logged by the system. Then, when the target administrator views the log files, cause arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administratorvia web form to the site, or take actions on the site acting as the target administrator.

Impact:   A remote user can execute arbitrary code on the target system.

A remote user can cause the target game service to crash.

A remote user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the vulnerable software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.wingssimulations.com/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Socket termination, format string and XSS in Soldner Secret Wars


#######################################################################

                             Luigi Auriemma

              http://www.secretwars.net
Versions:     <= 30830
Platforms:    Windows
Bugs:         A] silent socket termination
              B] in-game format string
              C] in-game cross site scripting versus admin
Exploitation: remote, versus server (B and C are in-game bugs)
Date:         04 Jan 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


(http://www.wingssimulations.com) and has been released in May 2004.


#######################################################################

=======
2) Bugs
=======

----------------------------
A] silent socket termination
----------------------------

The bug happens when the server receives an UDP packet of 1401 or more
bytes causing the immediate termination of the listening thread for a
bad handling of the "message too long" socket error.
The termination of the socket is silent (no warning or messages) so
the admin cannot easily understand what is happened.


------------------------
B] in-game format string
------------------------

An attacker can crash or execute remote code on the game server simply
sending a message containing the format arguments (like the classical
%n%n%n).


--------------------------------------------
C] in-game cross site scripting versus admin
--------------------------------------------

remote administration of the servers.
This web interface contains also a screen (chat) in which are shown all
the server logs included the messages exchanged by the users that are
not filtered and so an attacker can execute HTML or Javascript code in
the admin's browser.


#######################################################################

===========
3) The Code
===========

A] http://aluigi.altervista.org/poc/soldnersock.zip

B] %n%n%n

C] <script>alert("hello");</script>


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC