Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

DoS Vulnerability in Zachtronics Manufactoid

From: Kærast <kaerast () justlostthegame com>
Date: Thu, 9 Oct 2008 18:09:57 +0100
JLTG Security Advisory 09.10.08

I. BACKGROUND
Manufactoid is a “game for engineers” with several levels in which you
assemble blocks and write lua code to create a factory. More
information can be found at the following URL:

http://www.zachtronicsindustries.com/pivot/entry.php?id=18

II. DESCRIPTION
Manufactoid reads in level files and saved games with little or no
filtering, there are several locations throughout the code where strcpy
and strcat. The software fails to check the length of various inputs
from the ascii level and game-save files, which leads to the software
crashing with the possibility of executing arbitrary code if further
analysis is done.

III. ANALYSIS
Fuzzing of the level files has lead to the software crashing (with or
without a “level complete” message) at varying points. Analysis of the
decompiled code shows strcpy and strcat being used in several locations
throughout the game which we believe may be exploitable through a
specially crafted level file, although we have yet to prove this.

IV. DETECTION
We have confirmed the existence of this issue in Manufactoid. Other
games in the series may have the same problem.

V. WORKAROUND
JLTG are unaware of any workaround for this issue, however since we can
only crash the game so far we do not consider this bug to be critical.

VI. VENDOR RESPONSE
“You’re probably right – I wrote Manufactoid a long time ago, and
without looking at the code I have no clue how I handled strings. I
never intended for people to make their own levels, though, so that
wasn’t an issue at the time. Good catch nevertheless!”

VII. RELEASE TIMELINE
30.09.08 Author contacted
08.09.08 Author acknowledged bug exists

VIII. CREDIT
Kærast at Just Lost The Game

IX. LEGAL NOTICES
Copyright 2008 JLTG.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use of,
or reliance on, this information. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: