####################################################################### Luigi Auriemma Application: BZFlag http://www.bzflag.org Versions: <= 2.0.4 versions minor than 2.0.0 seem not vulnerable Platforms: Windows, *BSD, Linux, *nix, MacOS, Solaris, SGI and more Bug: server crash due to the handling of undelimited string Exploitation: remote, versus server Date: 25 Dec 2005 Author: the bug has been fixed by the developers at the end of October in the CVS version while I have found the bug indipendently and have exploited it one month later since the stable version was (and is) still that vulnerable Advisory: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== BZFlag is a great and well known open source multiplayer tank game. ####################################################################### ====== 2) Bug ====== The callsigns used by the clients are not checked or re-delimited by the server so is possible for a client to pass a callsign with no NULL bytes at its end causing problems (crash) to the server during the handling of this string. On both Linux and Windows for x86 (using the precompiled packages) I have reached the server crash without problems but is possible that in some configurations the crash could happen after many tries or also never, depending by how the memory is handled on that platform. The bug can be exploited also versus password protected servers without knowing the right keyword. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/bzflagboom.zip ####################################################################### ====== 4) Fix ====== As written in the "Author" field the CVS version has been already patched from over two months. #######################################################################