iDefense Security Advisory

From: gobblesat_private
Date: Thu Dec 12 2002 - 15:26:37 PST

Next message: David Endler: "[Full-Disclosure] RE: iDefense Security Advisory"

Previous message: Liu Die Yu: "XSS flaw found at "https://www.e-gold.com""
Next in thread: David Endler: "RE: iDefense Security Advisory"
Reply: David Endler: "RE: iDefense Security Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----

iDEFENSE Security Advisory 12.13.02:
http://www.idefense.com/advisory/12.13.02.txt
Bufferoverflow in 0verkill Server
December 13, 2002

I. BACKGROUND

0verkill is a client-server 2d deathmatch-like game in ASCII art. It
supports free connecting/disconnecting during the game, and runs well on
modem lines. Graphics are in 16-color ASCII art with elaborate hero
animations. 0verkill features 4 different weapons, grenades, invisibility,
and armor. The package also contains reaperbot clients, a simple graphics
editor, and a level editor. The server portion of 0verkill listens on an
UDP port (6666 by default).

II. DESCRIPTION

Remote explotation of a buffer overflow within the 0verkill server source
could allow a remote attacker to gain the privilages of whichever user the
process is running as. Since there are no authentication measures built
into the game, this problem can be considered to be PREAUTH*. This is a
very serious vulnerability and should be taken seriously.

The following is a snapshot of the exploit in action.

deraadtat_private:~$ ./0verkillflow -t 5 -h 192.168.0.1 -o l -p 6666
Attacking host 192.168.0.1 (Linux 2.4.20-grsec).
*GOBBLE*
id; uname -a
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Linux spender 2.4.20 #1 Sat Dec 7 13:44:54 EST 2002 i686 unknown
^C

deraadtat_private:~$ su -
Password:
rootat_private:~# rm -rf /&

III. ANALYSIS

Remote attackers can use this exploit to gain unauthorized access to your
corporate network if you do not immediately upgrade to the latest version of
0verkill. We have seen evidence of this being exploited in the wild, and
suggest that ISS and Securityfocus increase the ARIS Threatcon to at least 7.

Most of our clients have probably already been compromised by this exploit of
ours, and those who were not running the daemon as root were probably later
rooted locally by bugs in **Abuse that the author refuses to patch.

Since this exploit exists in the wild, we will soon send our IDS signatures
to Max Vision and Martin Roesch so that they may update their IDS systems to
detect this version of the attack, and this exploit specifically. Please
keep in mind that these signatures will not be sufficient for other versions
of the exploit, and that you may need to upgrade your IDS to a better
mechanism that is capable of detecting more than specific versions of an
attack.

IV. DETECTION

To detect whether or not you are running a vulnerable version of the 0verkill
server or not, we suggest that you take the md5sum of the binary. For example:

rootat_private:/usr/src/0verkill-0.16# md5sum server
0f210947eec2ead10e00069896d2f4bb server

If your server binary has the same checksum as our binary, here at iDefense
Labs, you are vulnerable to this attack and must immediately upgrade your
service to the latest version. We're currently attempting to devise a more
reliable method to verify whether or not an executable is vulnerable or not,
but our research scientists are at this time stumped.

The IDS experts from Sourcefire, ISS, and NFR are currently studying this
vulnerability and are developing exploits for it, so that they might understand
all possible methods of exploitation, and accordingly create the proper dynamic
rules to help you detect all variations of this bug being exploited, instead of
a single version which ultimately won't help anything. Once this has been done, you can replay your network traffic through your sensors and watch to see if this has been exploited on your network yet or not.

V. VENDOR FIX

We have not been able to contact any of the developers for the software, and at this time there is no fix for the problem.

VI. CVE INFORMATION

We have received information from Brian McWilliams which links MITRE to the
Al Quada terrorist network, and for this reason we will no longer participate
in any MITRE sponsored programs.

VII. DISCLOSURE TIMELINE

11/20/2002 Issue disclosed to iDEFENSE
12/08/2002 Maintainer, Brain (brainat_private),
and NetBSD Security Officer (security-officerat_private)
notified.
12/09/2002 Contacted CERT (certat_private) about the matter.
12/10/2002 Attempted to contact CERT again for assistance with contacting
the authors of 0verkill.
12/11/2002 iDEFENSE clients notified
12/12/2002 Coordinated public disclosure

VIII. CREDIT

GOBBLES (GOBBLESat_private) discovered this vulnerability.

*By PREAUTH, we mean pre-authentication.
**Please read our previous advisory on Abuse, which can be found here:
http://www.idefense.com/advisory/11.01.02.txt

" Life without CERT is like the Chocolate Factory without Charlie :-( "
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wlwEARECABwFAj35GzMVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPnpIA
n0q1wFh9yDm8IGzwhFNlgZk5RRauAJ9m9xnpfG+Z/u9f89DHsZsSoaz0VA==
=WUCQ
-----END PGP SIGNATURE-----

Next message: David Endler: "[Full-Disclosure] RE: iDefense Security Advisory"
Previous message: Liu Die Yu: "XSS flaw found at "https://www.e-gold.com""
Next in thread: David Endler: "RE: iDefense Security Advisory"
Reply: David Endler: "RE: iDefense Security Advisory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 16:52:02 PST