rAthena Login Server Heap-Based Buffer Overflow Vulnerability Allowing Remote Code Execution

A heap-based buffer overflow vulnerability has been identified in the rAthena login server, affecting versions prior to commit 2f5248b. This vulnerability allows remote attackers to overwrite adjacent session fields by sending a crafted CA_SSO_LOGIN_REQ with an oversized token length. The exploitation of this vulnerability leads to an immediate denial-of-service condition (crash) and potentially allows for remote code execution through heap corruption.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, leading to a crash of the login server. However, this vulnerability can be exploited to execute arbitrary code remotely, taking advantage of the heap corruption caused by the buffer overflow.

Reproduction

The vulnerability can be reproduced by sending a CA_SSO_LOGIN_REQ packet with an oversized token length to the rAthena login server. This can be done using a network tool or script that allows for the manipulation of packet sizes. Once the oversized token is received by the server, it will cause a segmentation fault, crashing the server and potentially allowing for code execution via the heap corruption.

Remediation

Users can upgrade to rAthena version 2f5248b or later to address this vulnerability.