lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040211220709.5fb7ef9e.aluigi@altervista.org>
Date: Wed, 11 Feb 2004 22:07:09 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Denial of Service in Ratbag's game engine



#######################################################################

                             Luigi Auriemma

Application:  Game engine and games developed by Ratbag
              http://www.ratbaggames.com
Games/Ver:    - Dirt Track Racing             <= 1.03
              - Dirt Track Racing Australia
              - Leadfoot
              - Dirt Track Racing Sprint Cars <= 1.01
              - Dirt Track Racing 2
              - World of Outlaws Sprint Cars
Platforms:    Windows
Bug:          CPU at 100%, match freezed
Risk:         medium/high
Exploitation: remote, versus server
Date:         11 Feb 2004
Author:       Luigi Auriemma
              e-mail: aluigi@...ervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Ratbag is a software house enough famous in the gaming scene for its
racing games based on "dirty" racing sports.
Just its most famous game Dirt Track Racing in fact has winned some
awards in the past.


#######################################################################

======
2) Bug
======


The bug is a freezing of the server (CPU up to 100%) caused by the
value identifying the length of the data.
This value is the first 16 bit number that is located at the beginning
of each data block, it is read by the server to know how many bytes
must be read and to calculate the amount of remaining data to receive
from the socket to complete the data block.

The problem is located just in the management of the sockets in fact
the Ratbag engine uses TCP connections on non-blocked sockets so
everytime that there are remaining bytes to read the game will do an
infinite check on the socket to know if are arrived new data.

So for example if an attacker uses the value 3 but sends only 2 bytes,
the remaining byte will cause the infinite loop because naturally he
will stay connected and will never send this last byte.


#######################################################################

===========
3) The Code
===========


   http://aluigi.altervista.org/poc/ratbagcpu.zip


#######################################################################

======
4) Fix
======


No fix.
No reply to my signalations.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ