Panda3D Uncontrolled Format String Vulnerability in egg-mkfont Utility Allows Stack Memory Disclosure

A format string vulnerability has been identified in the Panda3D game engine, specifically in versions up to and including 1.10.16. The issue arises in the egg-mkfont utility, where the -gp (glyph pattern) command-line option is used as a format string for the sprintf() function without proper validation. This flaw allows attackers to inject additional format specifiers, leading to the unintentional disclosure of stack memory and pointer values. The leaked information is written into .egg and .png files, which are accessible to the attacker.

Impact

Exploitation of this vulnerability allows for the unauthorized reading of stack memory, leakage of pointer-sized values including addresses, reduction of Address Space Layout Randomization (ASLR) effectiveness, and extraction of sensitive process memory through the generated output files.

Reproduction

To reproduce this vulnerability, use the egg-mkfont utility with the -gp option. Include additional format specifiers in the glyph pattern argument. The injected format specifiers will cause sprintf() to read unintended values from the stack, which can then be accessed through the output files.