Multiple vulnerabilities in Babo Violent 2 2.08.00 Aug 14 2007 10:05PM
Luigi Auriemma (aluigi autistici org)

#######################################################################

Luigi Auriemma

Application: Babo Violent 2
http://www.rndlabs.ca
http://baboviolent.net
Versions: <= 2.08.00
Platforms: Windows and Linux
Bugs: A] crash through malformed value
B] format string
C] crash through unexistent map
D] crash through malformed UDP packet
Exploitation: A, B and C versus server (both dedicated and game)
D versus both clients and server
Date: 14 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Babo Violent 2 is a famous free multiplayer game developed by RndLabs
(now under bitHeads).

#######################################################################

=======
2) Bugs
=======

--------------------------------
A] crash through malformed value
--------------------------------

The data with ID 0xca, 0xcb, 0xcc, 0xce, 0xcf and 0xd0 have a first
byte which if is set to a value major or equal than 0x28 (this number
can change) causes the crash of the program.
In my tests doesn't seem possible to use this bug for executing remote
code although some registers change their values using different data
after this byte.

----------------
B] format string
----------------

The output function used by the server is vulnerable to a format string
bug exploitable through the messages and the admin login.
An easy way to test the problem is through the sending of a message
containing %x.

-------------------------------
C] crash through unexistent map
-------------------------------

If the client specifies a map which is not available, the server will
terminate due to the exception (stream != NULL).
What the server does is calling fopen() with the value passed by the
client plus the .bvm extension in the map folder (note that if the
filename is not NULLed there will be many garbage bytes before the
extension).

-------------------------------------
D] crash through malformed UDP packet
-------------------------------------

Both the servers and the clients open another port other than 3333
which is 11111, this port is used for LAN queries and by clients.
In short each UDP packet is composed by a 16 bit number which specifies
the size of the data in the packet.
It's enough to send a small UDP packet with a big 16 bit value for
forcing the program (client or server) to read outside the available
memory of the packet causing a crash:

memcpy(buffer_of_65536, packet + 9, *(uint16_t *)(packet + 7));

Note that all the IP addresses of the clients are visibile in the
server through the "playerlist" command, so an attacker can decide to
"kick" only the players he wants or all of them or just the entire
server.

Note: the password protection in servers doesn't seem to work very well
that's why sometimes these in-game bugs can be exploited also in
protected servers without knowing the needed keyword, it's enough to
reconnect if the connection closes... and be lucky.
Another interesting thing is that the sender of the chat messages is
specified by the client so is possible to spoof any message.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/bv2x.zip

#######################################################################

======
4) Fix
======

I have posted the details of the bugs on dev.baboviolent.net about ten
days ago but nobody has done something.

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus