Complete.Org: Mailing Lists: Archives: freeciv-dev: July 2000:
[Freeciv-Dev] Security bugs in Freeciv 1.10.0 (PR#484)

[Freeciv-Dev] Security bugs in Freeciv 1.10.0 (PR#484)

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	freeciv-dev@xxxxxxxxxxx
Cc:	bugs@xxxxxxxxxxxxxxxxxxx
Subject:	[Freeciv-Dev] Security bugs in Freeciv 1.10.0 (PR#484)
From:	Taneli Huuskonen <huuskone@xxxxxxxxxxxxxx>
Date:	Fri, 28 Jul 2000 17:23:14 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was looking at the source of Freeciv 1.10.0 to see if there was any
obvious risk in allowing untrusted people to connect to a server running
on my machine.  Unfortunately, a rather brief examination revealed a
number of potential security holes.  At least one of them looked rather
severe, meaning that a malicious player could overwrite any memory
location with arbitrary data and consequently hijack the whole server
process.

The bug lies in the function handle_player_worklist( ).  It does no
sanity checking whatsoever on its input data, but simply copies the
supplied worklist into the player's array of worklists at the given
index.  By sending a malformed packet with a carefully calculated
index, an attacker can insert its contents anywhere in memory.
Moreover, since the name of the worklist is copied with strcpy( ),
the cracker can overwrite even larger portions of memory than a single
worklist with data containing no NUL bytes.

There are other similar failures to check that array indices are within
bounds, for instance in handle_unit_paradrop_to( ), but the one in the
worklist handling routine looks like it might be the easiest to exploit
as the player structures are statically allocated.

Furthermore, there are several smaller bugs that could, nevertheless, be
exploited to crash a running server and/or to cheat in the game.  IMHO,
the whole programme needs a security audit.  I am willing to help with
that, but my time is limited, so I can only audit a smallish portion.

Taneli Huuskonen

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv

iQA/AwUBOYIjvF+t0CYLfLaVEQKfYwCgyjc77+4f5hD7bJO4dAuSCEhfdPkAnRoF
LbgD77pICN4OKk6DzPtno+Sl
=ur+1
-----END PGP SIGNATURE-----
-- 
I don't   | All messages will be PGP signed,  | Fight for your right to
speak for | encrypted mail preferred.  Keys:  | use sealed envelopes.
the Uni.  | http://www.helsinki.fi/~huuskone/ | http://www.gilc.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Freeciv-Dev] Security bugs in Freeciv 1.10.0 (PR#484), Taneli Huuskonen <=
- [Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484), David Pfitzner, 2000/07/30

Prev by Date: [Freeciv-Dev] Patch: Keep original citystyle
Next by Date: [Freeciv-Dev] Fascism patch
Previous by thread: [Freeciv-Dev] Patch: Keep original citystyle
Next by thread: [Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)
Index(es):
- Date
- Thread