search

blockda / BlowTorch

A tool for playing text based adventure games that communicate over Telnet. Features include simple alias replacement, triggers, timers, custom speedwalks, xterm256 color support, lua scripting, plugins and miniwindows.
http://bt.offsetnull.com
MIT License
28 stars 13 forks source link

Exploitable Blowtorch telnet protocol crash #12

Open blockda opened 5 years ago

blockda commented 5 years ago

Reported via email.

blockda commented 5 years ago

We found a critical bug when sending text to one of our users previewing the GMCP support the mud MUME. The user's Blowtorch app crashed, and she had to reboot her phone. Obviously, this can be exploited by a malicious user in player killing MUDs so it's somewhat critical that it is fixed and an update be pushed to the app store ASAP.

https://github.com/blockda/BlowTorch/blob/22ad3cac456d3fc80a117cc7df1af59e0661111a/BTLib/src/com/offsetnull/bt/service/Processor.java#L193-L196

does do "i++", and it doesn't fall through to

https://github.com/blockda/BlowTorch/blob/22ad3cac456d3fc80a117cc7df1af59e0661111a/BTLib/src/com/offsetnull/bt/service/Processor.java#L210

result:

"IAC IAC SB GMCP ... IAC IAC" displays byte 255, and then it processes "IAC SB GMCP ... IAC IAC".

https://github.com/blockda/BlowTorch/blob/22ad3cac456d3fc80a117cc7df1af59e0661111a/BTLib/src/com/offsetnull/bt/service/Processor.java#L128-L137

runs out of bounds trying to find "IAC SE", so it throws an exception and crashes.

So we found at least two bugs:

  1. IAC IAC doesn't eat the character.

  2. IAC SB XXX doesn't bounds check when searching for IAC SE

There's no telling what would have happened if I had included the SE,

because it would have processed [IAC] "IAC SB GMCP ... IAC IAC SE". I didn't look to see what happens if it can't "unescape" the payload data.