Re: RFS: KildClient - Powerful MUD client with a built-in Perl interpreter
On Sat, 31 Dec 2005, Eduardo M KALINOWSKI wrote:
Package name : kildclient
Kildclient supports the MCCP (Mud Client Compression Protocol) protocol,
versions 1 and 2, to reduce the necessary bandwidth.
I hope that you're aware that MCCP is a security hole. It assumes that
the server either supports MCCP itself or at least has fully featured
support for the TELNET protocol.
It enables any player to knock you off the server, by saying/etc
anything that includes the following bytes:
255 253 86 255 250 86 255 240 (for MCCP v2)
255 253 85 255 250 85 251 240 (for MCCP v1)
If the server in question has only partial support for TELNET
(most LP-based servers, including the "ldmud" package in Debian), the
attacker has to double the 255 bytes.
You can't blame servers for not talking TELNET, as this just an extra
feature. Most codebases (by count, not by usage ratio) don't have it.
Partial support is a bug (protocol violation), but unfortunately it's
prevalent as most servers use a LP derivative. Thus, you need to
either remove support for MCCP or make it an option that is disabled by
default. MCCP is a custom extension used by few servers, so axing it
won't really hurt.
 Kildclient will either segfault or lock up -- I'm not sure if this can
be exploited to run arbitrary code.
There is a consistent crash every time you enter "Preferences" for the
/-----------------------\ Shh, be vewy, vewy quiet,
| email@example.com | I'm hunting wuntime ewwows!
Segmentation fault (core dumped)