lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 8 Jun 2004 18:20:49 +0000 From: Luigi Auriemma <aluigi@...ervista.org> To: bugtraq@...urityfocus.com, bugs@...uritytracker.com, news@...uriteam.com, full-disclosure@...ts.netsys.com Subject: Various crashs and fun in Race Driver 1.20 ####################################################################### Luigi Auriemma Application: http://www.codemasters.com/tocaracedriver/ Versions: <= 1.20 Platforms: Windows Bugs: various crashs and spoofed messages Risk: medium Exploitation: remote, versus server and attached clients Date: 08 June 2004 Author: Luigi Auriemma e-mail: aluigi@...ervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Race Driver is a great and funny driving game developed by Codemasters and released in March 2003. Actually this game is no longer supported due to the release of Race Driver 2 in April 2004. ####################################################################### ======= 2) Bugs ======= Important note: the attacker MUST have access to the server (so if the server is protected by password the attacker must know it) and the bugs can be exploited ONLY when the server is in the lobby stage (openplaying) that is the only moment when players can join. -------------- A] Multi crash -------------- If a server receives a message packet with a length identifier of 0 it will crash immediately after the access to a NULL pointer. All the attached clients will crash too. ----------------------- B] Server disconnection ----------------------- A malformed packet can stop the remote match in a couple of seconds. ------------------- C] Spoofed messages ------------------- The communication protocol used by the game permits to send messages to the server without to be really in the match and with the other players in the server as their sources. In fact each player is identified by an ID (for example the admin as ever ID 0) and this value can be customized in the message packet. Very boring is the messages flooding attack during the race... moreover for the server's bandwidth. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/rdboom.zip ####################################################################### ====== 4) Fix ====== No fix. Unfortunately the game is no longer supported. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists