####################################################################### Luigi Auriemma Application: Freeciv http://www.freeciv.org Versions: <= 2.0.7 Platforms: Windows, *nix, *BSD, MacOS and more Bug: bad memory allocation Exploitation: remote, versus server Date: 06 Mar 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Freeciv is an open source clone of the well known Civilization game. The game supports also online gaming through its own metaserver (which can be seen also on the web) and GGZ (http://www.ggzgamingzone.org). ####################################################################### ====== 2) Bug ====== Freeciv supports both plain and compressed data (admins can disable this feature only recompiling the server from the source code with USE_COMPRESSION undefined). When the server receives a jumbo data (size set to 0xffff) it reads the subsequent 32 bits number which identifies the size of the compressed data. Then it makes a signed comparison to know if the compressed size is major than the data received, if the client uses a negative compressed size value it will be able to elude this check. After having substracted 6 bytes (header size) from this number the server tries to allocate the memory needed for decompressing the data which is fixed to 100 times this size. If the memory cannot be allocated the server terminates or freezes showing an out of memory message. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/freecivdos.zip ####################################################################### ====== 4) Fix ====== Version 2.0.8 #######################################################################