[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFS: KildClient - Powerful MUD client with a built-in Perl interpreter

On Sat, 31 Dec 2005, Eduardo M KALINOWSKI wrote:
 Package name    : kildclient

Kildclient supports the  MCCP (Mud Client Compression Protocol) protocol,
versions 1 and 2, to reduce the necessary bandwidth.

I hope that you're aware that MCCP is a security hole. It assumes that the server either supports MCCP itself or at least has fully featured support for the TELNET protocol.

It enables any player to knock you off the server[1], by saying/etc anything that includes the following bytes:
255 253 86 255 250 86 255 240 (for MCCP v2)
255 253 85 255 250 85 251 240 (for MCCP v1)

If the server in question has only partial support for TELNET (most LP-based servers, including the "ldmud" package in Debian), the
attacker has to double the 255 bytes.

You can't blame servers for not talking TELNET, as this just an extra feature. Most codebases (by count, not by usage ratio) don't have it.

Partial support is a bug (protocol violation), but unfortunately it's
prevalent as most servers use a LP derivative. Thus, you need to either remove support for MCCP or make it an option that is disabled by default. MCCP is a custom extension used by few servers, so axing it won't really hurt.

[1] Kildclient will either segfault or lock up -- I'm not sure if this can be exploited to run arbitrary code.

Another issue:

There is a consistent crash every time you enter "Preferences" for the second time.

/-----------------------\ Shh, be vewy, vewy quiet,
| kilobyte@mimuw.edu.pl | I'm hunting wuntime ewwows!
Segmentation fault (core dumped)

Reply to: