Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Wed, 6 Aug 2008 00:38:25 +0200
From: Nico Golde <oss-security+ml@...lde.de>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id request: openttd

Hi Robert,
here we go...
* Robert Buchholz <rbu@...too.org> [2008-08-05 06:29]:
> On Monday 04 August 2008, Nico Golde wrote:
> > "OpenTTD servers of version 0.6.1 and below are susceptible to a
> > remotely exploitable buffer overflow when the server is filled with
> > companies and clients with names that are (near) the maximum allowed
> > length for names. In the worst case OpenTTD will write the following
> > (mostly remotely changable bytes) into 1460 bytes of malloc-ed
> > memory:
> > up to 11 times (amount of players) 118 bytes
> > up to 8 times (amount of companies) 124 bytes
> > and 7 "header" bytes
> > Resulting in up to 2297 bytes being written in 1460 bytes of
> > malloc-ed memory. This makes it possible to remotely crash the game
> > or change the gamestate into an unrecoverable state.  "
> >
> > This is Debian bug #493714.
> >
> > I didn't yet have the time to check the diff between the versions.
> 
> Secunia interpreted [1] the "remotely exploitable buffer overflows" 
> mentioned in the changelog [2] to be a "boundary error within 
> the "TruncateString()" function in src/gfx.cpp". This would be the 
> following patch [3].

This is only used when drawing the data but not for 
communicatin between server and clients.

> However, this would overwrite the buffer by max. 2 
> bytes, and does not match your bug description too well. Is this maybe 
> r13712 [4] ?

Not exactly, this is the length enforcement on the client 
side. The fix on the server side is
svn diff -c 13713 svn://svn.openttd.org/trunk.
However the problem with this is that it does break network 
compatibility between different versions so it might be a 
bad idea to backport this. This way you can only proceed 
playing with people who also use this backported fix :/

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@...ber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux