[conquest] Re: security bugs in conquest

Jon Trulson jon at radscan.com
Sat Mar 3 15:46:07 MST 2007 

On Fri, 2 Mar 2007, Luigi Auriemma wrote:

>
> Hey,
>
> I have found a couple of bugs in the latest version of the Conquest
> client 8.2a
>

         Damn :)

> The problems are the following:
>
> 1)
> stack buffer-overflow in metaGetServerList
> the buffer of 1024 bytes called buf can be overflowed by a server entry
> longer than that size.
> exists also an overflow in the servers buffer but it's static and so
> doens't seems possible to use this bug for executing malicious code.
>
> from meta.c:
>
> int metaGetServerList(char *remotehost, metaSRec_t **srvlist)
> {
>  static metaSRec_t servers[META_MAXSERVERS];
>  ...
>  char buf[1024];               /* server buffer */
>
>  ...
>
>  off = 0;
>  while (read(s, &c, 1) > 0)
>    {
>      if (c != '\n')
>        {
>          buf[off++] = c;
>        }
>      else
>        {                       /* we got one */
>          buf[off] = 0;
>
>          /* convert to a metaSRec_t */
>          if (str2srec(&servers[nums], buf))
>            nums++;
>  ...
>

         Ok, that was stupid.  Will fix.

>
> 2)
> memory corruption with SP_CLIENTSTAT
> the instructions which handle this type of packet don't sanitize the
> snum and unum value passed by the server.
> the problem of snum is more simple and quick to see since it's handled
> immediately when the packet is received allowing the writing of a byte
> (scstat->team) in some memory positions outside the Ship structure:
>
> from client.c:
>
> void processPacket(Unsgn8 *buf)
>    ...
>    case SP_CLIENTSTAT:
>      scstat = (spClientStat_t *)buf;
>      Context.snum = scstat->snum;
>      Context.unum = (int)ntohs(scstat->unum);
>      Ships[Context.snum].team = scstat->team;
>      clientFlags = scstat->flags;
>      break;
>    ...
>
> Let me know if you need other info.
>

         Yeah, this problem is all over the place as well.  Will fix
         these too for the next release (8.2b).

> I wait your reply.
>

         Thanks for finding these!  If you find anymore, please do not
         hesitate to let me know...

-- 
Jon Trulson
mailto:jon at radscan.com 
#include <std/disclaimer.h>
"No Kill I" -Horta

More information about the Conquest mailing list