Complete.Org: Mailing Lists: Archives: freeciv-dev: July 2000:
[Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)
Home

[Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: huuskone@xxxxxxxxxxxxxx
Cc: freeciv-dev@xxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Freeciv-Dev] Re: Security bugs in Freeciv 1.10.0 (PR#484)
From: David Pfitzner <dwp@xxxxxxxxxxxxxx>
Date: Sun, 30 Jul 2000 19:04:34 +1000 (EST)

On Fri, 28 Jul 2000 Taneli Huuskonen <huuskone@xxxxxxxxxxxxxx> wrote:

> I was looking at the source of Freeciv 1.10.0 to see if there was any
> obvious risk in allowing untrusted people to connect to a server running
> on my machine.  Unfortunately, a rather brief examination revealed a
> number of potential security holes.  At least one of them looked rather
> severe, meaning that a malicious player could overwrite any memory
> location with arbitrary data and consequently hijack the whole server
> process.

Unfortunately I'm not too surprised by your findings.  As the saying
goes "that's a known problem" :-/  Both the server and client _should_
do much more sanity-checking of the requests and data they receive
from each other.  (OTOH it once used to be even worse!!)

> The bug lies in the function handle_player_worklist( ).  It does no
> sanity checking whatsoever on its input data, but simply copies the
> supplied worklist into the player's array of worklists at the given
> index.  By sending a malformed packet with a carefully calculated
> index, an attacker can insert its contents anywhere in memory.

Yep, thanks.

> Moreover, since the name of the worklist is copied with strcpy( ),
> the cracker can overwrite even larger portions of memory than a single
> worklist with data containing no NUL bytes.

Actually I don't think this particular case of strcpy() is a problem
(at least for handle_player_worklist()) because the packet handling 
code _does_ take some care to check string lengths earlier in the
code path, when the packet_player_request is filled in.  Nevertheless 
redundant checking is a good idea (eg, I could be wrong), and 
copy_worklist() is called from a number of other places.

> There are other similar failures to check that array indices are within
> bounds, for instance in handle_unit_paradrop_to( ), but the one in the
> worklist handling routine looks like it might be the easiest to exploit
> as the player structures are statically allocated.
> 
> Furthermore, there are several smaller bugs that could, nevertheless, be
> exploited to crash a running server and/or to cheat in the game.  IMHO,
> the whole programme needs a security audit. 

Agreed.

> I am willing to help with
> that, but my time is limited, so I can only audit a smallish portion.

Any help appreciated :-)

Regards,
-- David



[Prev in Thread] Current Thread [Next in Thread]