Vulnerabilities > CVE-2007-3917 - USE of Externally-Controlled Format String vulnerability in Wesnoth
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
COMPLETE Summary
The multiplayer engine in Wesnoth 1.2.x before 1.2.7 and 1.3.x before 1.3.9 allows remote servers to cause a denial of service (crash) via a long message with multibyte characters that can produce an invalid UTF-8 string after it is truncated, which triggers an uncaught exception, involving the truncate_message function in server/server.cpp. NOTE: this issue affects both clients and servers.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1386.NASL description A problem has been discovered in the processing of chat messages. Overly long messages are truncated by the server to a fixed length, without paying attention to the multibyte characters. This leads to invalid UTF-8 on clients and causes an uncaught exception. Note that both wesnoth and the wesnoth server are affected. last seen 2020-06-01 modified 2020-06-02 plugin id 27043 published 2007-10-15 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27043 title Debian DSA-1386-1 : wesnoth - programming error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1386. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(27043); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-3917"); script_xref(name:"DSA", value:"1386"); script_name(english:"Debian DSA-1386-1 : wesnoth - programming error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A problem has been discovered in the processing of chat messages. Overly long messages are truncated by the server to a fixed length, without paying attention to the multibyte characters. This leads to invalid UTF-8 on clients and causes an uncaught exception. Note that both wesnoth and the wesnoth server are affected." ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1386" ); script_set_attribute( attribute:"solution", value: "Upgrade the wesnoth packages. For the old stable distribution (sarge) this problem has been fixed in version 0.9.0-6 and in version 1.2.7-1~bpo31+1 of sarge-backports. For the stable distribution (etch) this problem has been fixed in version 1.2-2 and in version 1.2.7-1~bpo40+1 of etch-backports. Packages for the oldstable mips architecture will be added to the archive later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:wesnoth"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/10/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"wesnoth", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-data", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-editor", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-ei", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-httt", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-music", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-server", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-sotbe", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-tdh", reference:"0.9.0-6")) flag++; if (deb_check(release:"3.1", prefix:"wesnoth-trow", reference:"0.9.0-6")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-data", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-editor", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-ei", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-httt", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-music", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-server", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-trow", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-tsg", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-ttb", reference:"1.2-2")) flag++; if (deb_check(release:"4.0", prefix:"wesnoth-utbs", reference:"1.2-2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2007-2496.NASL description Security fix release: A malicious user could send a long chat message with multibyte characters, the server would truncate the message on a fixed length, without paying attention to the multibyte characters. This led to invalid utf-8 on the client and an uncaught exception was thrown. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 27774 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27774 title Fedora 7 : wesnoth-1.2.7-1.fc7 (2007-2496) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2007-2496. # include("compat.inc"); if (description) { script_id(27774); script_version ("1.13"); script_cvs_date("Date: 2019/08/02 13:32:25"); script_cve_id("CVE-2007-3917"); script_xref(name:"FEDORA", value:"2007-2496"); script_name(english:"Fedora 7 : wesnoth-1.2.7-1.fc7 (2007-2496)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix release: A malicious user could send a long chat message with multibyte characters, the server would truncate the message on a fixed length, without paying attention to the multibyte characters. This led to invalid utf-8 on the client and an uncaught exception was thrown. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=324841" ); # https://lists.fedoraproject.org/pipermail/package-announce/2007-October/004164.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?84f738b5" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_cwe_id(134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wesnoth"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wesnoth-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wesnoth-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:wesnoth-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:7"); script_set_attribute(attribute:"patch_publication_date", value:"2007/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 7.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC7", reference:"wesnoth-1.2.7-1.fc7")) flag++; if (rpm_check(release:"FC7", reference:"wesnoth-debuginfo-1.2.7-1.fc7")) flag++; if (rpm_check(release:"FC7", reference:"wesnoth-server-1.2.7-1.fc7")) flag++; if (rpm_check(release:"FC7", reference:"wesnoth-tools-1.2.7-1.fc7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "wesnoth / wesnoth-debuginfo / wesnoth-server / wesnoth-tools"); }
References
- http://osvdb.org/41711
- http://secunia.com/advisories/27137
- http://secunia.com/advisories/27218
- http://secunia.com/advisories/27241
- http://svn.gna.org/viewcvs/wesnoth/tags/1.2.7/changelog?rev=20982&view=download
- http://www.debian.org/security/2007/dsa-1386
- http://www.securityfocus.com/bid/25995
- http://www.vupen.com/english/advisories/2007/3449
- http://www.wesnoth.org/forum/viewtopic.php?p=256618
- http://www.wesnoth.org/forum/viewtopic.php?t=18188
- https://bugzilla.redhat.com/show_bug.cgi?id=324841
- https://exchange.xforce.ibmcloud.com/vulnerabilities/37047
- https://www.redhat.com/archives/fedora-package-announce/2007-October/msg00194.html