Title: Toribash Multiple Vulnerabilities
Severity: HIGH
Description:
Toribash is a fighting game that is available for Microsoft Windows, Mac OS X, and Linux platforms.
Toribash is prone to multiple remote code-execution and denial-of-service vulnerabilities that affect game servers and clients. Seven vulnerabilties were reported:
1. A format-string vulnerability can be triggered by a malicious client upon entering the game. Specifically, a client-supplied nickname will be passed to the 'vfprintf()' formatted-printing function. As a result, user-specified format strings may let the attacker overwrite arbitrary locations in memory and to execute arbitrary code in the context of the game server.
2. A client-side buffer-overflow vulnerability may be triggered through a malicious replay (.rpl) file or by a malicious game server. This could result in the execution of arbitrary code in the context of the user running the game client.
3. A client-side buffer-overflow vulnerability may be triggered when a malicious SAY command is sent from one client to another. This issue is made possible by an additional bug in the handling of line-feed characters that causes the server to pass on client requests that are not properly terminated by a line-feed character and will not be processed until the client receives the line-feed character. Since requests to the server are ordinarily limited to 512 characters, this bug makes it possible to send unterminated requests that when assembled by the client will exceed the 512-character limit. As a result, it is possible to exploit the client-side SAY command overflow because it may be triggered when the SAY command exceeds 1024 bytes. This could potentially be exploited to execute arbitrary code.
4. A denial-of-service vulnerability in the game server can be triggered by a malicious GRIP command with an ID value of -1. This may crash the game server when it tries to process uninitialized values.
5. A denial-of-service issue is related to the handling of commands that do not contain a line-feed character. Since this character is used to terminate a command, malicious clients can cause other clients to freeze by sending unterminated commands that will cause the clients to wait for a line-feed character from the server before servicing other requests.
6. A denial-of-service issue in the game server may be caused when the server attempts to display the Windows bell character (0x07) in the console. This occurs because the server fails to filter this character when accepting client-supplied information to display in the console.
7. A denial-of-service issue will cause the game server to kick off connected game clients. This can be triggered when a malicious game client joins a match and sends a malformed emote or SPEC command to the server. The server will react by disconnecting the connected clients with a "malformed packet" message.
These vulnerabilities may be exploited to execute arbitrary code in the content of the game server and game client or deny service to both servers and clients.
Affected Products:
- Toribash Toribash 2.4
- Toribash Toribash 2.5
- Toribash Toribash 2.6
- Toribash Toribash 2.7
References:
- Toribash: Toribash Homepage
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
