Application: Mtp-Target
http://www.mtp-target.org
Versions: <= 1.2.2
Platforms: Windows and Linux
Bugs: A] clients format string
B] server crash
Exploitation: remote, versus both server and clients
Date: 01 May 2005
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: http://aluigi.altervista.org
Mtp-Target is a nice open source and multiplatform clone of the Monkey
Target minigame and uses the NeL library
(http://www.nevrax.org/tiki-index.php?page=NeL).
------------------------
A] clients format string
------------------------
The clients of the game are affected by a format string during the
visualization of the messages received from the other users or of any
other text that appears in the upper console.
With a single message an attacker is able to exploit all the clients
connected to a server.
---------------
B] server crash
---------------
This bug is located in the NeL library but after some tests made by the
NeL developers seems that only Mtp-Target is vulnerable (probably
because the pre-compiled versions use an old version of the library,
the mistery has not been solved).
Anyway there is a signed comparison that verifies if the amount of
memory to allocate (a parameter passed by the client) is major than
1000000 bytes. If an attacker passes a negative value the check is
bypassed and the system tries to allocate this huge amount of memory
through a call to STLport.
The result is an exception that terminates the server.
I was in contact with the developers of this game (that have also a
public game server) but I have no longer received replies from them, so
don't have idea if and when a patch will be released.
#######################################################################
Luigi Auriemma
Application: Mtp-Target
http://www.mtp-target.org
Versions: <= 1.2.2
Platforms: Windows and Linux
Bugs: A] clients format string
B] server crash
Exploitation: remote, versus both server and clients
Date: 01 May 2005
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Mtp-Target is a nice open source and multiplatform clone of the Monkey
Target minigame and uses the NeL library
(http://www.nevrax.org/tiki-index.php?page=NeL).
#######################################################################
=======
2) Bugs
=======
------------------------
A] clients format string
------------------------
The clients of the game are affected by a format string during the
visualization of the messages received from the other users or of any
other text that appears in the upper console.
With a single message an attacker is able to exploit all the clients
connected to a server.
---------------
B] server crash
---------------
This bug is located in the NeL library but after some tests made by the
NeL developers seems that only Mtp-Target is vulnerable (probably
because the pre-compiled versions use an old version of the library,
the mistery has not been solved).
Anyway there is a signed comparison that verifies if the amount of
memory to allocate (a parameter passed by the client) is major than
1000000 bytes. If an attacker passes a negative value the check is
bypassed and the system tries to allocate this huge amount of memory
through a call to STLport.
The result is an exception that terminates the server.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/mtpbugs.zip
#######################################################################
======
4) Fix
======
No fix.
I was in contact with the developers of this game (that have also a
public game server) but I have no longer received replies from them, so
don't have idea if and when a patch will be released.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
[ reply ]