SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Mtp Target Vendors:   mtp-target.org
Mtp Target Format String and Integer Overflow Bugs Let Remote Users Deny Service
SecurityTracker Alert ID:  1013856
SecurityTracker URL:  http://securitytracker.com/id/1013856
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 2 2005
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 1.2.2 and prior versions
Description:   Luigi Auriemma reported two vulnerabilities in Mtp Target. A remote user can cause the server to crash. A remote user can also cause connected clients to crash or potentially execute arbitrary code.

The client implementation contains a format string error in the processing of messages from other game users and from game text. A remote user can send a specially crafted message to cause all connected clients to crash or potentially execute arbitrary code.

The server implementation includes a negative integer overflow from the NeL library. A remote user can send a specially crafted value to cause the server to crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/mtpbugs.zip

The vendor has been notified.

Impact:   A remote user can cause the server to crash.

A remote user can also cause connected clients to crash or potentially execute arbitrary code.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mtp-target.org/ (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Clients format string and server crash in Mtp-Target 1.2.2



#######################################################################

                             Luigi Auriemma

Application:  Mtp-Target
              http://www.mtp-target.org
Versions:     <= 1.2.2
Platforms:    Windows and Linux
Bugs:         A] clients format string
              B] server crash
Exploitation: remote, versus both server and clients
Date:         01 May 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Mtp-Target is a nice open source and multiplatform clone of the Monkey
Target minigame and uses the NeL library
(http://www.nevrax.org/tiki-index.php?page=NeL).


#######################################################################

=======
2) Bugs
=======

------------------------
A] clients format string
------------------------

The clients of the game are affected by a format string during the
visualization of the messages received from the other users or of any
other text that appears in the upper console.
With a single message an attacker is able to exploit all the clients
connected to a server.


---------------
B] server crash
---------------

This bug is located in the NeL library but after some tests made by the
NeL developers seems that only Mtp-Target is vulnerable (probably
because the pre-compiled versions use an old version of the library,
the mistery has not been solved).

Anyway there is a signed comparison that verifies if the amount of
memory to allocate (a parameter passed by the client) is major than
1000000 bytes. If an attacker passes a negative value the check is
bypassed and the system tries to allocate this huge amount of memory
through a call to STLport.
The result is an exception that terminates the server.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/mtpbugs.zip


#######################################################################

======
4) Fix
======


No fix.

I was in contact with the developers of this game (that have also a
public game server) but I have no longer received replies from them, so
don't have idea if and when a patch will be released.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC