Complete.Org: Mailing Lists: Archives: freeciv-dev: July 2000:
[Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)

[Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]

To:	huuskone@xxxxxxxxxxxxxx
Cc:	freeciv-dev@xxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject:	[Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)
From:	David Pfitzner <dwp@xxxxxxxxxxxxxx>
Date:	Sun, 30 Jul 2000 19:04:34 +1000 (EST)

On Fri, 28 Jul 2000 Taneli Huuskonen <huuskone@xxxxxxxxxxxxxx> wrote:

> I was looking at the source of Freeciv 1.10.0 to see if there was any
> obvious risk in allowing untrusted people to connect to a server running
> on my machine.  Unfortunately, a rather brief examination revealed a
> number of potential security holes.  At least one of them looked rather
> severe, meaning that a malicious player could overwrite any memory
> location with arbitrary data and consequently hijack the whole server
> process.

Unfortunately I'm not too surprised by your findings.  As the saying
goes "that's a known problem" :-/  Both the server and client _should_
do much more sanity-checking of the requests and data they receive
from each other.  (OTOH it once used to be even worse!!)

> The bug lies in the function handle_player_worklist( ).  It does no
> sanity checking whatsoever on its input data, but simply copies the
> supplied worklist into the player's array of worklists at the given
> index.  By sending a malformed packet with a carefully calculated
> index, an attacker can insert its contents anywhere in memory.

Yep, thanks.

> Moreover, since the name of the worklist is copied with strcpy( ),
> the cracker can overwrite even larger portions of memory than a single
> worklist with data containing no NUL bytes.

Actually I don't think this particular case of strcpy() is a problem
(at least for handle_player_worklist()) because the packet handling 
code _does_ take some care to check string lengths earlier in the
code path, when the packet_player_request is filled in.  Nevertheless 
redundant checking is a good idea (eg, I could be wrong), and 
copy_worklist() is called from a number of other places.

> There are other similar failures to check that array indices are within
> bounds, for instance in handle_unit_paradrop_to( ), but the one in the
> worklist handling routine looks like it might be the easiest to exploit
> as the player structures are statically allocated.
> 
> Furthermore, there are several smaller bugs that could, nevertheless, be
> exploited to crash a running server and/or to cheat in the game.  IMHO,
> the whole programme needs a security audit. 

Agreed.

> I am willing to help with
> that, but my time is limited, so I can only audit a smallish portion.

Any help appreciated :-)

Regards,
-- David

[Prev in Thread]

Current Thread

[Next in Thread]

[Freeciv-Dev] Security bugs in Freeciv 1.10.0 (PR#484), Taneli Huuskonen, 2000/07/28
- [Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484), David Pfitzner <=

Prev by Date: [Freeciv-Dev] Re: Blitzkrieg patch
Next by Date: [Freeciv-Dev] Re: Random generator not random at all
Previous by thread: [Freeciv-Dev] Security bugs in Freeciv 1.10.0 (PR#484)
Next by thread: [Freeciv-Dev] patch: hash table improvements
Index(es):
- Date
- Thread