lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20070815000239.0d21ba0a.aluigi@autistici.org>
Date: Wed, 15 Aug 2007 00:02:39 +0200
From: Luigi Auriemma <aluigi@...istici.org>
To: bugtraq@...urityfocus.com, bugs@...uritytracker.com,
	news@...uriteam.com, full-disclosure@...ts.grok.org.uk,
	vuln@...unia.com, packet@...ketstormsecurity.org
Subject: Multiple vulnerabilities in Live for Speed 0.5X10


#######################################################################

                             Luigi Auriemma

Application:  Live for Speed
              http://www.lfs.net
Versions:     <= 0.5X10
Platforms:    Windows
Bugs:         A] nickname buffer-overflow
              B] partial track buffer-overflow
              C] NULL pointer access in internet/hidden S1/S2 servers
              D] memcpy() NULL pointer in internet/hidden S1/S2 servers
Exploitation: remote, versus server
              A] demo/S1/S2 in-game
              B] demo/S1/S2 in-game
              C] S1/S2 (internet/hidden)
              D] S1/S2 (internet/hidden)
Date:         14 Aug 2007
Author:       Luigi Auriemma
              e-mail: aluigi@...istici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Live for Speed (LFS) is one of the most known and cool car racing
simulators available since you can do a lot of things: races,
autocross, drifting, drag races and a parking too.


#######################################################################

=======
2) Bugs
=======

---------------------------
A] nickname buffer-overflow
---------------------------

A buffer-overflow vulnerability is located in the portion of code which
handles the client's nickname from packets with ID 3.
This packet must contain the following NULL terminated strings:

  24 bytes for the nickname
   8 bytes for the car's plate
  16 bytes for other data
  16 bytes for the helmet

For exploiting the bug it's enough to set a nickname longer than its
needed size overwriting the other fields after it in the packet.


--------------------------------
B] partial track buffer-overflow
--------------------------------

Another buffer-overflow is exploitable through the packets with ID 10
but this time doesn't seem possible to use it for executing remote
code because the return address is overwritten by a fixed string of the
server.

In short when the user requests a track which is not available on the
host, the server calls:

  sprintf(buff, "%s is not enabled on this host", client_track);

using a destination buffer enough big to avoid the controlling of the
return address but not enough for avoiding a crash.


-------------------------------------------------------
C] NULL pointer access in internet/hidden S1/S2 servers
-------------------------------------------------------

The S1 and S2 servers which run in internet (so visible on the master
server) or hidden mode are vulnerable to a crash attack caused by the
access to a NULL pointer.
The problem is exploitable through a packet containing a byte 0x00 at
the data offset 23 of the pre-login packet with ID 3.
demo and LAN servers are not vulnerable.


---------------------------------------------------------
D] memcpy() NULL pointer in internet/hidden S1/S2 servers
---------------------------------------------------------

The S1 and S2 servers which run in internet (so visible on the master
server) or hidden mode are vulnerable to a crash attack caused by the
calling of memcpy() with a NULL source (in reality it's NULL + 12).
The problem seems caused by the absence of one or more needed strings
in the pre-login packet with ID 5.
demo and LAN servers are not vulnerable.


Resuming:
Both the bugs A and B are in-game so the attacker must have access to
the server like knowing its password if it's protected or being not
banned.
Bugs C and D instead work versus any server except demo and LAN servers
and are not in-game so any attacker can crash any server, password
protected too.


#######################################################################

===========
3) The Code
===========


with the following tool the bugs A and B can be tested only versus the
demo server:

http://aluigi.org/fakep/lfsfp.zip


#######################################################################

======
4) Fix
======


The only thing that the developers have been able to tell me is that
the bugs will be fixed in Patch Y (yes I have asked for a release date
but they don't know it)... that's really stupid since a quick fix was
the best choice moreover considering the auto-patching system of the
game.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ