Bugtraqmailing list archives
Server crash and motd deletion in MultiTheftAuto 0.5 patch 1
From: Luigi Auriemma <aluigi () autistici org>
Date: Sun, 25 Sep 2005 17:08:05 +0200
####################################################################### Luigi AuriemmaApplication: MultiTheftAutohttp://www.multitheftauto.comVersions: <= 0.5 patch 1Platforms: Windows, Linux, FreeBSD and OpenBSDBugs: A] anyone can modify the motd B] Windows server crashExploitation: remote, versus serverDate: 25 Sep 2005Author: Luigi Auriemma e-mail: aluigi () autistici org web:http://aluigi.altervista.org#######################################################################1) Introduction2) Bugs3) The Code4) Fix#######################################################################===============1) Introduction===============MultiTheftAuto (MTA) is a closed-source mod and server for the gamesGrand Theft Auto III (http://www.rockstargames.com/grandtheftauto3/)and Grand Theft Auto: Vice City(http://www.rockstargames.com/vicecity/pc/) which adds multiplayercapabilities to them.#######################################################################=======2) Bugs=======Both the following bugs are directly related but have been separatedsince the effects change between the available versions for thesupported platforms:-----------------------------A] anyone can modify the motd-----------------------------The MTA server has the remote administration option enabled by default.The problem is the existence of an undocumented command (number 40)which allows the modification or the deletion of the content of themotd.txt file used for the message of the day.This is the only command which doesn't check if the client is an adminso anyone without permissions has access to it.-----------------------B] Windows server crash-----------------------The command 40 is also the cause of another problem located in the samefunction which seems incomplete or experimental as showed by thefollowing "retrieved" code: // open file for writing "w" length = *(u_int *)(src - (src % 4096)); for(i = j = 0; i < length; i++) { if(src[i] == '\n') dst[j++] = '\r'; dst[j++] = src[i]; if(j < 1024) continue; if(!WriteFile(...)) break; j = 0; } // close filelength is -1 so the function starts an almost endless loop which stopswhen the source buffer points to an unallocated zone of the memory.The result is the immediate crash of the MTA server.Seems that only the Windows server is affected by the crash because onLinux the function is substituited with the following "still incorrect"instruction which doesn't produce exceptions: fd = fopen("motd.txt", "w"); fwrite(data + 4, 1, data, fd); // yes data is the buffer fclose(fd);#######################################################################===========3) The Code===========http://aluigi.altervista.org/poc/mtaboom.zip#######################################################################======4) Fix======The developers have said that MTA is no longer supported.#######################################################################--- Luigi Auriemmahttp://aluigi.altervista.org
Current thread:
- Server crash and motd deletion in MultiTheftAuto 0.5 patch 1Luigi Auriemma (Sep 26)