####################################################################### Luigi Auriemma Application: Sparklet http://sparklet.sourceforge.net Versions: <= 0.9.4try3 Platforms: Windows, *nix, *BSD and more Bug: format string in client's display Exploitation: remote, versus clients Date: 06 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Sparklet is a nice multiplayer 2d shooting game released under the GPL license. ####################################################################### ====== 2) Bug ====== The game is affected by a format string vulnerability located in the function which visualizes the text strings on the client screen during the match. The problem is located in agl_text.cpp where is missed the "%s" format argument: void WriteText(const Point &DstLoc, const std::string &Text, const int &Font, const ULONG &Color) { ... allegro_gl_printf_ex(fnt, x, y, 0, Text.c_str()); ... Through this bug an attacker on a server or a client (the server is not vulnerable since it simply forwards all the received data to all the clients connected to it) can crash or execute malicious code versus any client which is playing on the server. ####################################################################### =========== 3) The Code =========== Use the nickname %n%n%n%n%n ####################################################################### ====== 4) Fix ====== A new version will be released soon #######################################################################