Vulnerabilities > CVE-2006-1010 - Denial Of Service vulnerability in Crossfire 1.7.0/1.8.0

047910
CVSS 6.4 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
crossfire
nessus
exploit available

Summary

Buffer overflow in socket/request.c in CrossFire before 1.9.0, when oldsocketmode is enabled, allows remote attackers to cause a denial of service (segmentation fault) and possibly execute code by sending the server a large request. This vulnerability affects CrossFire versions 1.8.0 and previous.

Vulnerable Configurations

Part Description Count
Application
Crossfire
2

Exploit-Db

descriptionCrossFire. CVE-2006-1010. Dos exploit for windows platform
idEDB-ID:1535
last seen2016-01-31
modified2006-02-27
published2006-02-27
reporterLuigi Auriemma
sourcehttps://www.exploit-db.com/download/1535/
titleCrossFire <= 1.8.0 - oldsocketmode Remote Buffer Overflow PoC

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200604-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200604-11 (Crossfire server: Denial of Service and potential arbitrary code execution) Luigi Auriemma discovered a vulnerability in the Crossfire game server, in the handling of the
    last seen2020-06-01
    modified2020-06-02
    plugin id21276
    published2006-04-26
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21276
    titleGLSA-200604-11 : Crossfire server: Denial of Service and potential arbitrary code execution
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200604-11.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21276);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:43");
    
      script_cve_id("CVE-2006-1010");
      script_xref(name:"GLSA", value:"200604-11");
    
      script_name(english:"GLSA-200604-11 : Crossfire server: Denial of Service and potential arbitrary code execution");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200604-11
    (Crossfire server: Denial of Service and potential arbitrary code execution)
    
        Luigi Auriemma discovered a vulnerability in the Crossfire game
        server, in the handling of the 'oldsocketmode' option when processing
        overly large requests.
      
    Impact :
    
        An attacker can set up a malicious Crossfire client that would
        send a large request in 'oldsocketmode', resulting in a Denial of
        Service on the Crossfire server and potentially in the execution of
        arbitrary code on the server with the rights of the game server.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200604-11"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Crossfire server users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=games-server/crossfire-server-1.9.0'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:crossfire-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/04/22");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/04/26");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"games-server/crossfire-server", unaffected:make_list("ge 1.9.0"), vulnerable:make_list("lt 1.9.0"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Crossfire server");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_86CC5C6FD2B411DAA672000E0C2E438A.NASL
    descriptionFRSIRT reports : A vulnerability has been identified in CrossFire, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service. This flaw is due to a buffer overflow error in the
    last seen2020-06-01
    modified2020-06-02
    plugin id21465
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21465
    titleFreeBSD : crossfire-server -- denial of service and remote code execution vulnerability (86cc5c6f-d2b4-11da-a672-000e0c2e438a)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21465);
      script_version("1.15");
      script_cvs_date("Date: 2019/08/02 13:32:38");
    
      script_cve_id("CVE-2006-1010");
      script_bugtraq_id(16883);
    
      script_name(english:"FreeBSD : crossfire-server -- denial of service and remote code execution vulnerability (86cc5c6f-d2b4-11da-a672-000e0c2e438a)");
      script_summary(english:"Checks for updated package in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote FreeBSD host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "FRSIRT reports :
    
    A vulnerability has been identified in CrossFire, which could be
    exploited by remote attackers to execute arbitrary commands or cause a
    denial of service. This flaw is due to a buffer overflow error in the
    'oldsocketmode' module that fails to properly handle overly large
    requests, which could be exploited by a malicious client to crash or
    compromise a vulnerable system."
      );
      # http://www.frsirt.com/english/advisories/2006/0760
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.frsirt.com"
      );
      # https://vuxml.freebsd.org/freebsd/86cc5c6f-d2b4-11da-a672-000e0c2e438a.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e67c9511"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:crossfire-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/28");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/04/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"crossfire-server<1.9.0")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1001.NASL
    descriptionIt was discovered that Crossfire, a multiplayer adventure game, performs insufficient bounds checking on network packets when run in
    last seen2020-06-01
    modified2020-06-02
    plugin id22543
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22543
    titleDebian DSA-1001-1 : crossfire - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-1001. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22543);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:19");
    
      script_cve_id("CVE-2006-1010");
      script_xref(name:"DSA", value:"1001");
    
      script_name(english:"Debian DSA-1001-1 : crossfire - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Crossfire, a multiplayer adventure game,
    performs insufficient bounds checking on network packets when run in
    'oldsocketmode', which may possibly lead to the execution of arbitrary
    code."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2006/dsa-1001"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the crossfire packages.
    
    For the old stable distribution (woody) this problem has been fixed in
    version 1.1.0-1woody1.
    
    For the stable distribution (sarge) this problem has been fixed in
    version 1.6.0.dfsg.1-4sarge1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:crossfire");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/03/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"crossfire-doc", reference:"1.1.0-1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"crossfire-edit", reference:"1.1.0-1woody1")) flag++;
    if (deb_check(release:"3.0", prefix:"crossfire-server", reference:"1.1.0-1woody1")) flag++;
    if (deb_check(release:"3.1", prefix:"crossfire-doc", reference:"1.6.0.dfsg.1-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"crossfire-edit", reference:"1.6.0.dfsg.1-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"crossfire-server", reference:"1.6.0.dfsg.1-4sarge1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");