ClanMod插件远程格式字符串漏洞

STGG · 发表于 2003-3-18 16:28:14

UnitedAdmins ClanMod 1.80.19 Beta
+ Valve Software Half-Life Dedicated Server 3.1 .0.4 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.5 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.6 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.7 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.8 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.9 Linux
+ Valve Software Half-Life Dedicated Server 3.1 And Previous
+ Valve Software Half-Life Dedicated Server 3.1.1 .0 Linux
+ Valve Software Half-Life Dedicated Server 3.1.3 x
+ Valve Software Half-Life Dedicated Server 4.1 .0.4 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.6 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.7 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.8 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.9 Win32
+ Valve Software Half-Life Dedicated Server 4.1.1 .0 Win32
UnitedAdmins ClanMod 1.81.11 Beta
+ Valve Software Half-Life Dedicated Server 3.1 .0.4 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.5 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.6 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.7 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.8 Linux
+ Valve Software Half-Life Dedicated Server 3.1 .0.9 Linux
+ Valve Software Half-Life Dedicated Server 3.1 And Previous
+ Valve Software Half-Life Dedicated Server 3.1.1 .0 Linux
+ Valve Software Half-Life Dedicated Server 3.1.3 x
+ Valve Software Half-Life Dedicated Server 4.1 .0.4 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.6 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.7 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.8 Win32
+ Valve Software Half-Life Dedicated Server 4.1 .0.9 Win32
+ Valve Software Half-Life Dedicated Server 4.1.1 .0 Win32

详细描述
Half-Life ClanMod插件用于"半条命"游戏服务器。

问题存在于'cm_log'命令中，设计用于写消息到服务日志文件中。问题代码server.cpp如下：

2790 void CmdLogMessage()
2791 {
2792       if (CMD_ARGC() > 1) {
2793                UTIL_FillText((char*)CMD_ARGS()/*UTIL_GetVarArgs(1,FALSE)*/, NULL, 256,cmSet.allow_to_execute,NULL,
NULL,TRUE);
2794                UTIL_LogPrintf(UTIL_VarArgs("[%s] %s",Plugin_info.logtag,  com_token));
2795       }
2796       else
2797                PrintErrorInfo("cm_log");
2798
2799       //Close any opened gate
2800       cmSet.allow_to_execute_time = gpGlobals->time + 0.25;
2801 }

2794行UTIL_LogPrintf在接收用户提供的字符串时缺少正确检查，可发生格式字符串问题。

发布日期 2003-01-10
发现者 VOID.AT Security <crew@void.at>

转自：安全焦点

yam · 发表于 2003-3-19 11:33:41

stgg 开始研究安全啦？？？

cool ~~~
:)

STGG · 发表于 2003-3-19 15:59:52

近来对网络安全的有兴趣~~

间中做做CS小黑客，偷偷的帮别人的服务器装上一些插件~~

不知它们的OP知了会怎样了。。。

becking · 发表于 2003-3-19 16:02:10

我晕~~把你的偷安装的方法写个帖子..呵呵~~偶也要玩`~:)

STGG · 发表于 2003-3-19 16:13:44

那些是网络安全方面的话题，在网上多的是~我也是刚开始学呀

我也是学着别人的帖子做!!但我发觉网上很管理员也真的是。。。HOHO，WIN2000的登陆密码竟是123456，还有的是空密码!!正好给我做练习呢~

-|CatKinG|-*凹 · 发表于 2003-3-27 10:48:31

那些是NT弱口令入侵~~我以为是通过CS服务器入侵的呢？？呵呵