CVE-2011-3341 (vulnerable 0.3.5 - fixed 1.1.3)
Short description: Denial of service via improperly validated commands
Official CVE-2011-3341 entry at cve.mitre.org.
Related bug reports:
Related commits:
Patches: (sometimes more fuzz is needed to apply them)
- For version 0.3.5 up to including 0.5.3
- For version 0.6.0 up to including 0.6.3
- For version 0.7.0 up to including 0.7.5
- For version 1.0.0 up to including 1.0.0
- For version 1.0.1 up to including 1.0.5
- For version 1.1.0 up to including 1.1.2
In multiple places in-game commands are not properly validated that allow remote
attackers to cause a denial of service (crash) and possibly execute arbitrary
code via unspecified vectors.
The bug is exploitable only in-game so the attacker must have access to the
server: his IP must not be banned, he must know the password if it has been set
and the server must not be full.
The major cause of these bugs are off-by-one errors in the validation of the
sent commands from the clients to the server, and from the server to the client.
One could therefore, in theory, affect both the server and the clients of that
server.
Two of the cases (since 0.7.0) are known to make the game state invalid, which
causes an eventual crash of the application via an "abort()". Two cases cause a
read beyond the boundaries of a (static) table (resp. since 0.3.5 and 1.0.0).
The last case allows changes to the game state of others that might trigger
invalid reads for other players if they had the autoreplace window opened (since
0.6.0).