####################################################################### Luigi Auriemma Application: GNE - Game Networking Engine http://www.gillius.org/gne/ Versions: <= 0.70 and CVS <= 23 Jul 2006 Platforms: Windows, *nix, *BSD, Mac and more Bug: format string bug in the gout console output Exploitation: remote Date: 24 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== GNE is an open source network library specifically designed for games. ####################################################################### ====== 2) Bug ====== The console output provided by the library (gout) is affected by a format string vulnerability which can be exploited if the main program shows the data sent by the clients on the gout console. The problem is caused by the absence of the format argument "%s" in both mlprintf and mprintf. From ConsoleStreambuf.cpp: void goutbuf::flush_output() { //We always have a space for the null pointer because we reserved an //extra position when we called setp, and we do so again at the end of //this function. if (pptr() > pbase()) { *pptr() = '\0'; if (x != -1) { //Do a mlprintf if a location was set. assert(y != -1); Console::mlprintf(x, y, pbase()); x = y = -1; //Unset last location. } else Console::mprintf(pbase()); setp(buf, buf + OBUF_LEN - 1); } ####################################################################### =========== 3) The Code =========== No proof-of-concept available ####################################################################### ====== 4) Fix ====== CVS 24 Jul 2006 #######################################################################