#######################################################################

                             Luigi Auriemma

Application:  Sparklet
http://sparklet.sourceforge.net 
Versions:     <= 0.9.4try3
Platforms:    Windows, *nix, *BSD and more
Bug:          format string in client's display
Exploitation: remote, versus clients
Date:         06 Jul 2006
Author:       Luigi Auriemma
e-mail: aluigi@autistici.org 
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

==============1) Introduction
==============

Sparklet is a nice multiplayer 2d shooting game released under the GPL
license.


#######################################################################

=====2) Bug
=====

The game is affected by a format string vulnerability located in the
function which visualizes the text strings on the client screen during
the match.
The problem is located in agl_text.cpp where is missed the "%s" format
argument:

void WriteText(const Point &DstLoc, const std::string &Text, const int &Font, const ULONG &Color) {
    ...
    allegro_gl_printf_ex(fnt, x, y, 0, Text.c_str());
    ...

Through this bug an attacker on a server or a client (the server is not
vulnerable since it simply forwards all the received data to all the
clients connected to it) can crash or execute malicious code versus any
client which is playing on the server.


#######################################################################

==========3) The Code
==========

Use the nickname %n%n%n%n%n


#######################################################################

=====4) Fix
=====

A new version will be released soon


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org 
http://mirror.aluigi.org