Full Disclosure mailing list archives
DoS Vulnerability in Zachtronics Manufactoid
From: Kærast <kaerast () justlostthegame com>
Date: Thu, 9 Oct 2008 18:09:57 +0100
JLTG Security Advisory 09.10.08 I. BACKGROUND Manufactoid is a “game for engineers” with several levels in which you assemble blocks and write lua code to create a factory. More information can be found at the following URL: http://www.zachtronicsindustries.com/pivot/entry.php?id=18 II. DESCRIPTION Manufactoid reads in level files and saved games with little or no filtering, there are several locations throughout the code where strcpy and strcat. The software fails to check the length of various inputs from the ascii level and game-save files, which leads to the software crashing with the possibility of executing arbitrary code if further analysis is done. III. ANALYSIS Fuzzing of the level files has lead to the software crashing (with or without a “level complete” message) at varying points. Analysis of the decompiled code shows strcpy and strcat being used in several locations throughout the game which we believe may be exploitable through a specially crafted level file, although we have yet to prove this. IV. DETECTION We have confirmed the existence of this issue in Manufactoid. Other games in the series may have the same problem. V. WORKAROUND JLTG are unaware of any workaround for this issue, however since we can only crash the game so far we do not consider this bug to be critical. VI. VENDOR RESPONSE “You’re probably right – I wrote Manufactoid a long time ago, and without looking at the code I have no clue how I handled strings. I never intended for people to make their own levels, though, so that wasn’t an issue at the time. Good catch nevertheless!” VII. RELEASE TIMELINE 30.09.08 Author contacted 08.09.08 Author acknowledged bug exists VIII. CREDIT Kærast at Just Lost The Game IX. LEGAL NOTICES Copyright 2008 JLTG. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DoS Vulnerability in Zachtronics Manufactoid Kærast (Oct 10)