SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Doomsday Engine Vendors:   Keranen, Jaakko
Doomsday Engine Format String Bugs in Con_Message() and Con_Printf() Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1015860
SecurityTracker URL:  http://securitytracker.com/id/1015860
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 4 2006
Impact:   Execution of arbitrary code via network, User access via network

Version(s): 1.8.6 and prior versions; current 1.9.0 version in SVN is also affected
Description:   Luigi Auriemma reported a vulnerability in the Doomsday Engine. A remote user can execute arbitrary code on the target system.

The Con_Message() and Con_Printf() functions contain format string vulnerabilities. A remote user can send specially crafted data containing format string specifiers to the target system to cause denial of service conditions or to execute arbitrary code on the target system.

As a demonstration exploit, a remote user can connect to port 13209 on the target system and supply the following data to cause the target game service to crash:

JOIN 1234 %n%n%n%n%n%n

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.doomsdayhq.com (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Format string in Doomsday 1.8.6


#######################################################################

                             Luigi Auriemma

Application:  Doomsday engine
              http://www.doomsdayhq.com
              http://deng.sourceforge.net
Versions:     <= 1.8.6 (and current SVN 1.9.0)
Platforms:    Windows, *nix, *BSD, Mac and others
Bug:          format string bug in Con_Message and Con_Printf
Exploitation: remote, versus server and clients
Date:         03 Apr 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Doomsday engine is an enhanced and well known open source port of
the original Doom engine and is also one of the most played on
Internet.


#######################################################################

======
2) Bug
======


The Doomsday engine contains many functions used for the visualization
of the messages in the console.
Both Con_Message and conPrintf are vulnerable to a format string
vulnerability which could allow an attacker to execute malicious code
versus the server or the clients.
The first function calls a "Con_Printf(buffer)" while the second one
calls a "SW_Printf(prbuff)" if SW_IsActive is enabled (which means
ever).

>From Src/con_main.c:

void Con_Message(const char *message, ...)
{
	va_list argptr;
	char   *buffer;

	if(message[0])
	{
		buffer = malloc(0x10000);

		va_start(argptr, message);
		vsprintf(buffer, message, argptr);
		va_end(argptr);

#ifdef UNIX
		if(!isDedicated)
		{
			// These messages are supposed to be visible in the real console.
			fprintf(stderr, "%s", buffer);
		}
#endif

		// These messages are always dumped. If consoleDump is set,
		// Con_Printf() will dump the message for us.
		if(!consoleDump)
			printf("%s", buffer);

		// Also print in the console.
		Con_Printf(buffer);

		free(buffer);
	}
	Con_DrawStartupScreen(true);
}

...

void conPrintf(int flags, const char *format, va_list args)
{
	unsigned int i;
	int     lbc;				// line buffer cursor
	char   *prbuff, *lbuf = malloc(maxLineLen + 1);
	cbline_t *line;

	if(flags & CBLF_RULER)
	{
		Con_AddRuler();
		flags &= ~CBLF_RULER;
	}

	// Allocate a print buffer that will surely be enough (64Kb).
	// FIXME: No need to allocate on EVERY printf call!
	prbuff = malloc(65536);

	// Format the message to prbuff.
	vsprintf(prbuff, format, args);

	if(consoleDump)
		fprintf(outFile, "%s", prbuff);
	if(SW_IsActive())
		SW_Printf(prbuff);
    ...



#######################################################################

===========
3) The Code
===========


Connect with telnet to port 13209 (default) of a DoomsDay server and
type:

  JOIN 1234 %n%n%n%n%n%n

The server will crash immediately.


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC