CVE-2012-0049 (vulnerable 0.3.5 - fixed 1.1.5)
Short description: Denial of service (server) via slow read attack
Related bug reports:
Patches: (sometimes more fuzz is needed to apply them)
- For version 0.6.0 up to including 0.6.3
- For version 0.7.0 up to including 0.7.5
- For version 1.0.0 up to including 1.0.0
- For version 1.0.1 up to including 1.0.1
- For version 1.0.2 up to including 1.0.5
- For version 1.1.0 up to including 1.1.4
Using a slow read type attack it is possible to prevent anyone from joining
a server with virtually no resources. Once downloading the map no other
downloads of the map can start, so downloading really slowly will prevent
others from joining. This can be further aggravated by the pause-on-join
setting in which case the game is paused and the players cannot continue the
game during such an attack. This attack requires that the user is not banned
and passes the authorization to the server, although for many servers there
is no server password and thus authorization is easy.
A similar attack can be done when performing the attack during the authorization phase itself, however you will not block anyone else from joining, unless you use connection multiple times until the connection limit is reached, or stop the continuation of the game of the already joined players. This attack requires the user to be merely not banned.
Note that versions before 0.6.0 are vulnerable as well. However, these versions are over five years old and not supported anymore. Therefore no patches for earlier versions are provided. Before 0.3.5 it is not possible to exploit this bug via the internet as multiplayer over internet did not exist yet. The provided patch is a simplification of the fix in 1.1.5 because that version slightly changes the network protocol to tell people they got kicked due to the (password) timeout.
The attached patch does not change network compatibility. The fix in trunk does change network compatibility.