URL:
<http://gna.org/bugs/?13037>
Summary: Malicious compressed data from client can exhaust
memory on MP server
Project: Battle for Wesnoth
Submitted by: dfranke
Submitted on: Saturday 02/21/2009 at 10:39
Category: Bug
Severity: 6 - Security
Priority: 5 - Normal
Item Group: None of the others
Status: None
Privacy: Private
Assigned to: None
Originator Email:
Open/Closed: Open
Discussion Lock: Any
Release: 1.5.10+svn
Operating System: Linux
_______________________________________________________
Details:
The MP server (and probably the client and the campaign server as well, but I
haven't checked) uncompresses incoming messages from clients in their entirety
immediately upon receiving them. Gzip's compression format permits compressed
data to expand to up to about 1000 times its original size. Therefore, a
client can send a few megabytes of compressed data to the server, and the
server will uncompress it into gigabytes, thus exhausting system memory and
crashing the server.
I have a working exploit for this, which simply reads the contents of a
compressed file and sends it to the server using network::send_raw_data().
The file was generated using
dd if=/dev/zero bs=1M count=20480 | gzip > evil.gz
, thus it is about 20MB in size and uncompresses to 20GB.
The exploit code is too crude to bother posting, but I'll clean it up upon
request.
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?13037>
_______________________________________________
Message sent via/by Gna!
http://gna.org/
_______________________________________________
Wesnoth-bugs mailing list
[email protected]
https://mail.gna.org/listinfo/wesnoth-bugs
