Posts

DoSing a Public NetHack Server

What AFL found During fuzzing (as described here ), AFL reported a hang on this .nethackrc line: MENUCOLOR=0+++++++++++++++++++++++++++++++++++++++++=blue This line is saying that if a menu item matches the regular expression (in this case, one or more ‘0’ characters), then that line should be colored blue in the UI. Only one ‘+’ character is needed to express this, but if you string many ‘+’ characters together, NetHack will hang. I was also able to reproduce the hang with MSGTYPE and AUTOPICKUP_EXCEPTION lines. So why does it hang? NetHack 3.6/3.7 has a pluggable API for regular expression engines in sys/share . Three implementations of this API are included in the source: posixregex.c – Uses the POSIX API from /usr/include/regex.h , which is implemented via the platform’s libc. This is the default on Unix. cppregex.cpp – Uses the C++ standard library available in <regex> , which is implemented via the platform’s libc++. This the default on Windows. Obviously,

Dungeon Crawl Stone Soup

Dungeon Crawl Stone Soup , aka DCSS, aka “crawl”, is an open source Rogue-like game, available at https://github.com/crawl/crawl . Public DCSS servers ( crawl.kelbi.org , crawl.develz.org , crawl.akrasiac.org , underhound.eu , crawl.beRotato.org , lazy-life.ddo.jp , webzook.net , crawl.xtahua.com , crawl.project357.org ) allow users to play DCSS without compiling it or installing it on their own system. On these servers, before starting a game players can upload their own .crawlrc configuration file. These files can include Lua 5.1 scripts, and the global environment for these scripts includes the load and loadstring functions. load and loadstring can be used to load not just other Lua scripts, but also valid or invalid Lua bytecode. Although Lua 5.1 includes a perfunctory bytecode verifier, there are known weaknesses in that verifier which have been well documented in the security community.

NetHack 3.6.6, or, How to Glitch NetHack

The NetHack DevTeam released NetHack 3.6.6 on March 8, 2020, primarily to address CVE-2020-5254 , which  I reported to them on March 3. Although most of my report was focused on security--and indeed I was able to get full remote code execution (RCE) on pre-release NetHack 3.7 (but not 3.6.5)--I actually thought the more interesting finding was how to exploit the bug as a glitch.

NetHack 3.6.5

The NetHack DevTeam released NetHack 3.6.5 on January 27, 2020, primarily to address six buffer overflows I reported to them on January 12 and January 15. All of these bugs were found with AFL as I described in Fuzzing NetHack .

Fuzzing NetHack

After NetHack 3.6.4 , I looked at other games including Freeciv and Dungeon Crawl Stone Soup . Freeciv uses a client/server model, and I really wanted to find a vulnerability in the server protocol. I discovered AFL and setup the fuzzer to run against the Freeciv server. Days later, AFL had found nothing and I was bored, so I decided to run AFL against NetHack. That ended up being a very good idea.

NetHack 3.6.4

The NetHack DevTeam released NetHack 3.6.4 on December 18, 2019, primarily to address CVE-2019-19905 which I reported to them on December 13. I was impressed with the five day turnaround.

Why NetHack?

There's a lot of software out there to explore, so a good first question is why would I pick NetHack as a place to focus my security research? A few reasons: