header-logo
Suggest Exploit
vendor:
Netrek
by:
Luigi Auriemma
7.5
CVSS
HIGH
Format string
134
CWE
Product Name: Netrek
Affected Version From: <= 2.12.0
Affected Version To: 2.12.2000
Patch Exists: YES
Related CWE:
CPE: a:netrek_project:netrek
Metasploit:
Other Scripts:
Platforms Tested: *nix and Windows
2007

Netrek format string vulnerability

The Vanilla server in Netrek version <= 2.12.0 is affected by a format string vulnerability. The vulnerability is caused by the calling of the pmessage2() function without the needed format argument. It can be exploited by locking a player who is using a malformed nickname. The EVENTLOG switch must be enabled for exploiting this vulnerability. The exploit code can be found at http://aluigi.org/poc/netrekfs.zip

Mitigation:

Upgrade to version 2.12.1
Source

Exploit-DB raw data:

#######################################################################

                            Luigi Auriemma
Application:  Netrek
              http://www.netrek.org
Versions:     <= 2.12.0 (Vanilla server)
Platforms:    *nix and Windows
Bug:          format string
Exploitation: remote (in-game)
Date:         02 Mar 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Netrek is a well known real-time strategy game inspired to Star Trek.

#######################################################################

======
2) Bug
======

The Vanilla server is affected by a format string vulnerability caused
by the calling of the pmessage2() function without the needed format
argument.

The bug is located in new_warning() and can be exploitated through the
locking of a player (the same attacker too) who is using a malformed
nickname.

Note that the EVENTLOG switch must be enabled for exploiting this
vulnerability (default is disabled).

from ntserv/warning.c:

void new_warning(int index, const char *fmt, ...) {

 char temp[150];

 va_list args;
 va_start(args, fmt);

 vsprintf(temp, fmt, args);

 ...

 if (eventlog) {

   char from_str[9]="WRN->\0\0\0";

   strcat(from_str, me->p_mapchars);
   pmessage2(0, 0, from_str, me->p_no, temp);
 }


#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/netrekfs.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/3399.zip (03022007-netrekfs.zip)

#######################################################################

======
4) Fix
======

Version 2.12.1

#######################################################################


# milw0rm.com [2007-03-02]