Gunz: Remote DoS vulnerability

30Jun09

Product: Gunz server daemon (a.k.a. MDaemon), rev 5 (Release date 13.06.2007);
Class: Remote DoS/Buffer Overflow vulnerability
Product Details:
The released Gunz server files, originating from the Gunz subsidiary, Brazil Gunz, are considered the most commonly used server files for Gunz private servers everywhere.

Disclosure Details:
By sending a specific byte series, a remote Denial of Service (DoS) attack can be launched against an unsuspecting Gunz subsidiary running with a vulnerable version of MDaemon.

Disclosure Execution:
Sending a login packet with a string defined over a specific length will result in a buffer overflow, indirectly resulting in a remote DoS (NOTE: Overflowed string is not executed, therefore, RCE is not possible).

Packet Structure details: http://i40.tinypic.com/sngl1g.jpg (Credits to Gunz dev., Phail).

Advertisements


6 Responses to “Gunz: Remote DoS vulnerability”

  1. 1 Phail

    This DoS will work for any packet not using a padding method for the strings. There are few packets inside the MAIET protocol that does this. MAIET’s official servers are still open to this DoS attack and many others. In the public MDaemon there is an SQL injection which consists of closing up an EXEC inside of a clan creation / join / delete or a stage map.

    • 2 majii

      But, if I remember correctly, the stage map bug at the least was already patched.

      • 3 Phail

        The buffer overflow was, but not the SQL injection.

  2. o.O cool..

  3. 5 tagalogdude22

    I agree with mikeymike!

  4. You should post a piece of code to show us how to do it! xD


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: