From jon at radscan.com Sat Mar 3 15:46:07 2007 From: jon at radscan.com (Jon Trulson) Date: Sat, 3 Mar 2007 15:46:07 -0700 (MST) Subject: [conquest] Re: security bugs in conquest In-Reply-To: <20070302193046.d1f22b0d.aluigi@autistici.org> References: <20070302193046.d1f22b0d.aluigi@autistici.org> Message-ID: On Fri, 2 Mar 2007, Luigi Auriemma wrote: > > Hey, > > I have found a couple of bugs in the latest version of the Conquest > client 8.2a > Damn :) > The problems are the following: > > 1) > stack buffer-overflow in metaGetServerList > the buffer of 1024 bytes called buf can be overflowed by a server entry > longer than that size. > exists also an overflow in the servers buffer but it's static and so > doens't seems possible to use this bug for executing malicious code. > > from meta.c: > > int metaGetServerList(char *remotehost, metaSRec_t **srvlist) > { > static metaSRec_t servers[META_MAXSERVERS]; > ... > char buf[1024]; /* server buffer */ > > ... > > off = 0; > while (read(s, &c, 1) > 0) > { > if (c != '\n') > { > buf[off++] = c; > } > else > { /* we got one */ > buf[off] = 0; > > /* convert to a metaSRec_t */ > if (str2srec(&servers[nums], buf)) > nums++; > ... > Ok, that was stupid. Will fix. > > 2) > memory corruption with SP_CLIENTSTAT > the instructions which handle this type of packet don't sanitize the > snum and unum value passed by the server. > the problem of snum is more simple and quick to see since it's handled > immediately when the packet is received allowing the writing of a byte > (scstat->team) in some memory positions outside the Ship structure: > > from client.c: > > void processPacket(Unsgn8 *buf) > ... > case SP_CLIENTSTAT: > scstat = (spClientStat_t *)buf; > Context.snum = scstat->snum; > Context.unum = (int)ntohs(scstat->unum); > Ships[Context.snum].team = scstat->team; > clientFlags = scstat->flags; > break; > ... > > Let me know if you need other info. > Yeah, this problem is all over the place as well. Will fix these too for the next release (8.2b). > I wait your reply. > Thanks for finding these! If you find anymore, please do not hesitate to let me know... -- Jon Trulson mailto:jon at radscan.com #include "No Kill I" -Horta From god.000 at gmail.com Thu Mar 8 00:15:36 2007 From: god.000 at gmail.com (Almighty Tallest Cataboligne) Date: Thu, 8 Mar 2007 07:15:36 +0000 Subject: [conquest] fun stuff In-Reply-To: <45AD2D32.7010703@gravitic.com> References: <45AD2D32.7010703@gravitic.com> Message-ID: More goodies, since things seem pretty quite. pretty much dispise best buy these days... http://aptops.engadget.com/2007/03/03/best-buys-secret-intranet-site-exposed/ for all you loyal stormtroopers out there. http://www.websurdity.com/2007/02/28/uncomfortable-questions-was-the-death-star-attack-an-inside-job/ pet rocks...it wasnt just another fad. http://www.belowtopsecret.com/thread222778/pg1 http://www.wonderlandblog.com/wonderland/2007/02/crochet_atari.html http://www.wonderlandblog.com/wonderland/2007/03/piracy_poster.html I will get this map converted to some version of quake... http://www.wonderlandblog.com/wonderland/2007/03/fawlty_towers_c.html LOL, think I've heard about this game before, mebbe even played it. http://jeremiahpalecek.blogspot.com/2007/02/advanced-dungeons-dragons-hillsfar.html for linux users jealous of the macs slick new desktop eye candy. personally I want a desktop that isnt a resource hog and doesnt take up 1/2 gig of disk space. http://www.beryl-project.org/features.php _-=* Cataboligne -- ---------------------------------------------- 3 4 | 2 \|/ 5--*----> 1 Thing is facing this direction /|\ 6 | 8 7 -------------- next part -------------- An HTML attachment was scrubbed... URL: