Patch against monopd 0.9.3 DOS attack bug
- Posted by Rob (#1) on March 3, 2006 11:05 CET
Luigi Auriemma reported a security bug in monopd 0.9.3 which could result in a denial of service by extraneous resource consumption:
The Monopd server makes the string replacement (escapeXML) of some chars in the input data of the client for avoiding the manipulation of its XML output.
The problem is that the replacing of the bad chars takes many CPU and memory if the string is too long (over 15000 chars) so any client in the server will not be able to play and join during the attack.
I have written a proof-of-concept for testing the bug:
A fix against this DOS attacks is available in the form of a patch against monopd 0.9.3, from the Atlantik and monopd download page. It limits the amount of characters accepted from user input involving strings (player names and token images, game descriptions).
- Tags: security, monopd, patch
Comments
Rob (#1) on Mar 17, 2006 14:24 CET (Post reply)
Oops, of course. Fixed the patch.. mea culpa.
Some good news though: I might very well resume the monopd port to qt-core soon!
Jamie Jones on Mar 17, 2006 15:22 CET (Post reply)
That would be great! I run what seem to be the only public monopd servers at the moment (well, gtkatlantik have some, but they use their own gator... :sigh: )
I get periodic coredumps, which I'm currently looking at... I'll let you know if I find anything!
Out of interest, the backtrace says:
#0 0x280f2660 in Socket::ioWrite () from /usr/local/lib/libcapsinetwork.so.0
#1 0x80a3111 in Player::ioWrite ()
#2 0x80c623a in Trade::ioWrite ()
#3 0x80c617d in Trade::ioWrite ()
#4 0x80c6675 in Trade::writeComponentMsg ()
#5 0x80c5d29 in Trade::delComponent ()
#6 0x808155d in Game::transferEstate ()
#7 0x807db36 in Game::enforceDebt ()
#8 0x808d5f3 in Game::bankruptPlayer ()
#9 0x8083839 in Game::removePlayer ()
#10 0x80b6418 in MonopdServer::exitGame ()
#11 0x80bf19b in MonopdServer::processCommands ()
#12 0x80bdc65 in MonopdServer::processInput ()
#13 0x80a1387 in MonopdListener::socketHandler ()
#14 0x280efd67 in Listener::checkActivity () from /usr/local/lib/libcapsinetwork.so.0
#15 0x80a14e0 in main ()
#16 0x804ab0a in _start ()
cheers,
jamie
Rob (#1) on Mar 17, 2006 15:52 CET (Post reply)
Looks like a problem in libCapsiNetwork, not in monopd. I really should look into this.. but not on St. Patrick's Day. :D
Jamie again on Mar 23, 2006 14:44 CET (Post reply)
Just for info... since applying that patch I've had no core dumps, so it may have fixed things. I'll let you know if the situation changes.
Cheers! J
Jamie again on Mar 17, 2006 15:27 CET (Post reply)
P.S. Whilst monopd inside qt-core would be great - please don't make it exclusive - for instance, my servers don't have kde, qt, or X installed and they never will do :-)
Rob (#1) on Mar 17, 2006 15:50 CET (Post reply)
The whole idea of qt-core is that it offers the Qt classes and functionality without any dependencies on Xlibs. So you can install that subset of Qt4 on a server and not require KDE, X11 and so on. Think of qt-core as a very advanced STL.
I will not use qt-core for monopd if it would require a full graphical installation on servers, so don't worry. If haven't verified all this yet, but if qt-core can be installed without Xlibs, then monopd would at some point depend on it.
jamie on Mar 17, 2006 20:38 CET (Post reply)
Aye, I like your St. Paddys theme!!
And thanks for the clarification on qt-core - I was totally wrong on that one!
I have put some logging on the libcapsinetwork function, but it appears ok. The problem is the coredumps are not all that frequent, but it must annoy people to be dumped mid-game.
I'll let you know if I find anything, but I have zero c++ experience :blush:
Happy Paddys Day! And I'll end on a joke I just received!
Thanks,
Jamie
*AN IRISH BAR JOKE*
*At a world brewing convention in the States, the CEOs of various brewing
organizations retired to the bar at the end of each day's conference.
Bruce, CEO of Fosters, shouted to the Barman: "In 'Strylya, we make the
best bladdy beer in the world, so pour me a bladdy Fosters, mate."
Bob, CEO of Budweiser, calls out next: "In the States, we brew the finest
beers of the world, and I make the king of them all, gimme a Bud."
Hans steps up next: "In Germany ve invented das beer, ferdamt. Give me
ein Becks, ya ist der real King of beers, danke."
Paddy, CEO of Guinness, steps forward: "Barman, would ya give me a diet coke
with ice and lemon. Tanks."
The others stare at him in stunned silence, amazement written all over their
faces. Eventually Bruce asks: "Are you not going to have a
Guinness, Pat?"
Paddy replies: "Well, if you fookin' pansies aren't drinkin', then neither
am I." *
jamie on Mar 17, 2006 14:05 CET (Post reply)
Hi there. The patch is slightly wrong - namely it causes icons and name changes to have the first character chopped off.
Namely:
setPlayerName(pInput, data2.substr(2, 16));
and
pInput->setProperty("image", data2.substr(3, 32), this);
should be respectively:
setPlayerName(pInput, data2.substr(1, 16));
and
pInput->setProperty("image", data2.substr(2, 32), this)
as the initial "." is already stripped off the command at these points!
cheers, Jamie