Originally posted by [b]theultramage[/b]
http://www.eathena.ws/board/index.php?autocom=bugtracker&showbug=588
I thought a bit about how eathena handles emblems, and I've come up with several scenarios that an attacker might use to gain advantage.
Using packet manipulation, he could potentially
- crash the mapserver by faking the 'length' of the packet, causing a read-past-rfifo segfault
- crash the mapserver/charserver by faking the length, thus making the servers manipulate a 64k large blob of data (because static buffers are used a lot and there's absolutely NO size checking done anywhere on the execution path)
- make the charserver crash at startup, if the charserver somehow survives the previous operation and manages to save the data (again, static buffers)
- crash any client on demand, by switching the guild's emblem to something that's not a valid bitmap, then switching the emblem back, erasing all evidence
(this depends on the client's emblem handling code, but I assume no checking is done in there)
None of these were actually tested, but are likely to be possible.
This post has been edited by theultramage: Dec 11 2007, 04:56 AM