COMMAND

    FICS

SYSTEMS AFFECTED

    FICS

PROBLEM

    'canul'  found  following.   While  documenting  the  FICS   (free
    internet chess server) protocol for purposes of an alternative  to
    the xboard program,  he encountered what  looks to be  a potential
    for attack.   This vulnerability has  been verified by  one of the
    largest fics based systems, chess.net.

    The  problem  involves  unchecked  user  input  to  a fixed length
    string.  Non-denial of  services exploitation of the  questionable
    code looks possible but not trivial,  as there is not room in  the
    buffer for  shell code,  but putting  it elsewhere  is certainly a
    possibility.

SOLUTION

    'canul' wrote a patch that resolves the problem, in some fashion:

    --- gameproc.c	Tue Nov 16 13:52:31 1999
    +++ gameproc.1.c	Sat Nov 20 19:45:08 1999
    @@ -24,6 +24,7 @@
 						    Second is obsproc.c.
        DAV				96/7/1		Added avail stuff
     */
    +/* canul@halflife.dyn.insomnia.org  com_boards buffer overflow fix */

     #include "stdinclude.h"

    @@ -1445,6 +1446,16 @@

       if (param[0].type == TYPE_WORD)
         category = param[0].val.word;
    +
    +#ifndef CATEGORY_LIMIT
    +#	define CATEGORY_LIMIT 100
    +#endif
    +  if (strlen(category) > CATEGORY_LIMIT)
    +  {
    +      pprintf(p, "That category exceeds the string limit\n");
    +	  return COM_OK;
    +  }
    +
       if (category) {
         pprintf(p, "Boards Available For Category %s:\n", category);
         sprintf(dname, "%s/%s", board_dir, category);

    FICS development has been closed since 96.  Guess is 1.7.something
    is the server version being  used since there was no  problem with
    1.6.2  server.   However,  there  are  many  bugs  in the released
    sources for the  server and talking  about another bug  is more or
    less beating a dead horse.   Simply, if someone is going to  run a
    server, a lot of work must be done to get it stable.