Format string in The Dawn of Time 1.69s beta4

2007.10.09
Credit: Luigi Auriemma
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-5265
CWE: CWE-134


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################################### Luigi Auriemma Application: The Dawn of Time http://www.dawnoftime.org Versions: <= 1.69s beta4 (and 1.69r too) Platforms: *nix and Windows Bug: format string in web server authorization Exploitation: remote Date: 05 Oct 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Dawn of Time (aka Dawn) is a MUD server originally based on the ROM codebase. ####################################################################### ====== 2) Bug ====== A format string vulnerability is located in the function which handles the access to the restricted zones of the internal web server like "Reset password". After having decoded the base64 string containing username:password the string is used without format argument with sprintf(). from websrv.cpp: bool processWebHeader(web_request_data *w){ ... if (str_len(pLine)>0 && str_len(pLine)<200){ char decoded[200]; char *d; d =decodeBase64(pLine); if (d){ sprintf(decoded,d); ... void filterWebRequest(connection_data *c){ ... if (str_len(pLine)>0 && str_len(pLine)<200){ char decoded[200]; char *d; d =decodeBase64(pLine); if (d){ sprintf(decoded,d); ####################################################################### =========== 3) The Code =========== Go to: http://SERVER:4001/locked and use the username %n%n%n%n%n or just: http://%n%n%n%n%n:%n%n%n%n%n@SERVER:4001/locked ####################################################################### ====== 4) Fix ====== The bug will be officially fixed in the next release. I have also opened a thread in the Dawn forum some days ago with the instructions for the fix: http://forums.dawnoftime.org/viewtopic.php?t=2102 ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top