Tuesday, 20 February 2018

InfoSect's Month of Pointless Bugs (#23)

InfoSect, Canberra's hackerspace, regularly runs public group sessions to perform code review and vulnerability discovery. Over the next 30 days, I'll highlight the source code of 30 unknown vulnerabilities.

Bug #23

This is another small bug in the lbreakout2 network game server. The name string may not be NUL terminated after the strncpy.

 static void parse_packet_channel( ServerUser *user, ServerChannel *channel )
{
    int id;
    unsigned char type;
    char name[16];
    ServerUser *recv;
    ServerGameCtx ctx;
    ServerChannel *newchannel;

 ...

     case MSG_ENTER_CHANNEL:
                                strncpy(name,msg_read_string(),16);
                if ( strchr( name, ' ' ) ) {
                    sprintf( errbuf, _("Channel name must not contain blanks!") );
                    send_info( user, MSG_ERROR, errbuf );
                    break;
                }

at

Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland

Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...