| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Jun 2004 18:20:49 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com,
full-disclosure@...ts.netsys.com
Subject: Various crashs and fun in Race Driver 1.20
#######################################################################
Luigi Auriemma
Application: http://www.codemasters.com/tocaracedriver/
Versions: <= 1.20
Platforms: Windows
Bugs: various crashs and spoofed messages
Risk: medium
Exploitation: remote, versus server and attached clients
Date: 08 June 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Race Driver is a great and funny driving game developed by Codemasters
and released in March 2003.
Actually this game is no longer supported due to the release of Race
Driver 2 in April 2004.
#######################################################################
=======
2) Bugs
=======
Important note: the attacker MUST have access to the server (so if the
server is protected by password the attacker must know it) and the
bugs can be exploited ONLY when the server is in the lobby stage
(openplaying) that is the only moment when players can join.
--------------
A] Multi crash
--------------
If a server receives a message packet with a length identifier of 0
it will crash immediately after the access to a NULL pointer.
All the attached clients will crash too.
-----------------------
B] Server disconnection
-----------------------
A malformed packet can stop the remote match in a couple of seconds.
-------------------
C] Spoofed messages
-------------------
The communication protocol used by the game permits to send messages
to the server without to be really in the match and with the other
players in the server as their sources.
In fact each player is identified by an ID (for example the admin as
ever ID 0) and this value can be customized in the message packet.
Very boring is the messages flooding attack during the race... moreover
for the server's bandwidth.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/rdboom.zip
#######################################################################
======
4) Fix
======
No fix.
Unfortunately the game is no longer supported.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists