####################################################################### Luigi Auriemma Application: ZIG Game Engine http://zige.sourceforge.net Versions: Ziglite <= 1.0.0 and CVS <= 24 Jun 2006 (some bugs still unpatched) Zig (1.4.0 and current CVS) is vulnerable too Platforms: Windows, *nix, *BSD and more Bugs: A] format string bug in console logging B] invalid memory access in getObject C] library termination through throw Exploitation: remote Date: 06 Jul 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The ZIG Game Engine is an open source network library. It's divided in two projects, the main one and the most updated is Ziglite while the other is Zig (aka ziglib). ####################################################################### ======= 2) Bugs ======= --------------------------------------- A] format string bug in console logging --------------------------------------- The library supports the logging of the console text. This feature is disabled by default and must be enabled in the main program through the enable_log() function. The instruction which logs the console's output is affected by a format string vulnerability located in console.cpp: bool console_c::write_string(const char* outstr) ... // log if (conLogHandle > -1) log(conLogHandle, outstr); ... ------------------------------------- B] invalid memory access in getObject ------------------------------------- The getObject function provided by the library for the handling of the objects received from the network can be used to crash the main program through an invalid code value which leads to the reading of an invalid zone of the memory. From buffer.cpp: serializable_c *buffer_c::getObject() { //use special functions that can write/read a value from 0 to 32k using only one //byte for values in the range 0..127 (optimization) int code = get32K(); // get the CTypeMaker for this class code //CTypeMaker *maker = CTypeRegister::m_mTypeMaker[ code ]; CTypeMaker *maker = (CTypeRegister::GetTypeMaker())[ code ]; // call "new" and create a new instance for the class serializable_c *objeto = (serializable_c *)maker->CreateNew(); // feed the class with the field values from the buffer objeto->read(*this); return objeto; } ------------------------------------ C] library termination through throw ------------------------------------ The usage of throw (for exception handling) when a packet is smaller than the size to read causes the immediate termination of the program. throw is used in all the reading functions available in buffer.cpp: getByte, getBytes, getShort, getShorts, getLong, getLongs, getFloat, getDouble, getBlock, getString and getDataToSocket. ####################################################################### =========== 3) The Code =========== No proof-of-concept available ####################################################################### ====== 4) Fix ====== Bug A has been fixed the 25 Jun 2006 in CVS. The other bugs will be fixed soon since they require deep modifications of the code. #######################################################################