| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 Feb 2004 22:07:09 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Denial of Service in Ratbag's game engine
#######################################################################
Luigi Auriemma
Application: Game engine and games developed by Ratbag
http://www.ratbaggames.com
Games/Ver: - Dirt Track Racing <= 1.03
- Dirt Track Racing Australia
- Leadfoot
- Dirt Track Racing Sprint Cars <= 1.01
- Dirt Track Racing 2
- World of Outlaws Sprint Cars
Platforms: Windows
Bug: CPU at 100%, match freezed
Risk: medium/high
Exploitation: remote, versus server
Date: 11 Feb 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Ratbag is a software house enough famous in the gaming scene for its
racing games based on "dirty" racing sports.
Just its most famous game Dirt Track Racing in fact has winned some
awards in the past.
#######################################################################
======
2) Bug
======
The bug is a freezing of the server (CPU up to 100%) caused by the
value identifying the length of the data.
This value is the first 16 bit number that is located at the beginning
of each data block, it is read by the server to know how many bytes
must be read and to calculate the amount of remaining data to receive
from the socket to complete the data block.
The problem is located just in the management of the sockets in fact
the Ratbag engine uses TCP connections on non-blocked sockets so
everytime that there are remaining bytes to read the game will do an
infinite check on the socket to know if are arrived new data.
So for example if an attacker uses the value 3 but sends only 2 bytes,
the remaining byte will cause the infinite loop because naturally he
will stay connected and will never send this last byte.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/ratbagcpu.zip
#######################################################################
======
4) Fix
======
No fix.
No reply to my signalations.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists