MultiTheftAuto 40 指令拒绝服务漏洞
漏洞ID | 1197775 | 漏洞类型 | 缓冲区溢出 |
发布时间 | 2005-09-27 | 更新时间 | 2005-09-27 |
CVE编号 | CVE-2005-3065 |
CNNVD-ID | CNNVD-200509-255 |
漏洞平台 | N/A | CVSS评分 | 5.0 |
|漏洞来源
|漏洞详情
MultiTheftAuto是一款游戏引擎。MultiTheftAuto0.5patch1及早期版本中存在安全漏洞,远程攻击者可通过伪造指令40来触发服务拒绝攻击(应用程序崩溃),这条指令可导致使用-1长度,且引发超界读取错误。
|漏洞EXP
#######################################################################
Luigi Auriemma
Application: MultiTheftAuto
http://www.multitheftauto.com
Versions: <= 0.5 patch 1
Platforms: Windows, Linux, FreeBSD and OpenBSD
Bugs: A] anyone can modify the motd
B] Windows server crash
Exploitation: remote, versus server
Date: 25 Sep 2005
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
MultiTheftAuto (MTA) is a closed-source mod and server for the games
Grand Theft Auto III (http://www.rockstargames.com/grandtheftauto3/)
and Grand Theft Auto: Vice City
(http://www.rockstargames.com/vicecity/pc/) which adds multiplayer
capabilities to them.
#######################################################################
=======
2) Bugs
=======
Both the following bugs are directly related but have been separated
since the effects change between the available versions for the
supported platforms:
-----------------------------
A] anyone can modify the motd
-----------------------------
The MTA server has the remote administration option enabled by default.
The problem is the existence of an undocumented command (number 40)
which allows the modification or the deletion of the content of the
motd.txt file used for the message of the day.
This is the only command which doesn't check if the client is an admin
so anyone without permissions has access to it.
-----------------------
B] Windows server crash
-----------------------
The command 40 is also the cause of another problem located in the same
function which seems incomplete or experimental as showed by the
following "retrieved" code:
// open file for writing "w"
length = *(u_int *)(src - (src % 4096));
for(i = j = 0; i < length; i++) {
if(src[i] == 'n') dst[j++] = 'r';
dst[j++] = src[i];
if(j < 1024) continue;
if(!WriteFile(...)) break;
j = 0;
}
// close file
length is -1 so the function starts an almost endless loop which stops
when the source buffer points to an unallocated zone of the memory.
The result is the immediate crash of the MTA server.
Seems that only the Windows server is affected by the crash because on
Linux the function is substituited with the following "still incorrect"
instruction which doesn't produce exceptions:
fd = fopen("motd.txt", "w");
fwrite(data + 4, 1, data, fd); // yes data is the buffer
fclose(fd);
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/mtaboom.zip
#######################################################################
======
4) Fix
======
The developers have said that MTA is no longer supported.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
|受影响的产品
MultiTheftAuto MultiTheftAuto 0.5 Patch 1
|参考资料
来源:SECUNIA
名称:16926
链接:http://secunia.com/advisories/16926/
来源:FULLDISC
名称:20050925ServercrashandmotddeletioninMultiTheftAuto0.5patch1
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2005-September/037384.html
来源:SREASON
名称:26
链接:http://securityreason.com/securityalert/26
相关推荐: Cisco PIX Firewall Telnet/SSH Subnet Handling Denial Of Service Vulnerability
Cisco PIX Firewall Telnet/SSH Subnet Handling Denial Of Service Vulnerability 漏洞ID 1101359 漏洞类型 Failure to Handle Exceptional Cond…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666