Hosting Provided By

Multiple vulnerabilities in rFactor 1.250

From: Luigi Auriemma <aluigi(at)autistici.org>
Date: Sat Aug 18 2007 - 18:05:44 EDT

#######################################################################

                             Luigi Auriemma

Application:  rFactor
              
http://www.rfactor.net
Versions:     <= 1.250
Platforms:    Windows
Bugs:         A] buffer-overflow
              B] "Connection lost" crash
              C] crash/possible code execution
              D] port 34397 blocked
Exploitation: remote, versus server
Date:         18 Aug 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

#######################################################################



1) Introduction
2) Bugs

3) The Code
4) Fix

#######################################################################

Introduction

rFactor is a racing game deeply focused on simulation. It's developed by Image Space Incorporated (http://www.imagespaceinc.com) and has been released in August 2005.

#######################################################################

2) Bugs

The game server listens on 3 ports:

- UDP 34247 used for queries
- UDP 34347 used for game packets
- TCP 34447 used for login, messages, race and other informations

Anyway the last two ports are very similar not only because they use the same game protocol but just because they seem to work with the same functions too, in fact all the bugs below can be exploited versus both with the possibility of spoofing the source IP address in case of the UDP port.
Another important thing is that the vulnerabilities can be exploited without joining the server, so no password or banning limitations.

buffer-overflow

This bug is not only the most dangerous of those I have found but it's also the most interesting.
A buffer-overflow vulnerability is located in the function which handles the packets with ID 0x80 or 0x88 but no return address is overwritten, in fact the bug allows the modification of some buffers in the server included the one containing its version. For exploting the bug we need to query the server (UDP port 34297) where will happen a second buffer-overflow caused by the creation of a reply using the too long server's version set by the attacker. This is the moment in which the return address will be overwritten.

B] "Connection lost" crash

Do you need help?

A packet with ID 0x30 or 0x38 causes the crash of the server (read of memory at offset 0x00000004) after the visualization of the error message "Connection lost".

C] crash/possible code execution

Unfortunately I wasn't able to retrieve more details about this bug so for the moment I prefer to classify it only as a Denial of Service. Anyway through packets with ID 0x60 and 0x68 which contain data about the player (like his nickname, his car and so on) is possible to specify a 13 bit number (max 0x1ffb) which is used by the server to copy this amount of bytes from the received packet into another buffer. If this amount is too big we will crash the server due to the read access to the unallocated memory after the packet, while if we use a lower amount the server will close (crash silenty) without no warnings. In my opinion this second effect could be caused by the overwriting of the return address but in this moment I don't have proofs for confirming it.

D] port 34397 blocked

Packets with ID 0x20 and 0x28 instead leads to a strange and unusual effect on the server, in short after having received this packet its UDP port 34397 seems to become blocked and so nobody can join and play on the server.

#######################################################################

3) The Code

http://aluigi.org/poc/rfactox.zip

#######################################################################

4) Fix

The developers have said that will fix the bugs but there are no info about the release date of the patch.

#######################################################################

Do you need more help?

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org Received on Sat Aug 18 17:26:15 2007

This message: [ Message body ]
Next message: Luigi Auriemma: "Multiple vulnerabilities in Toribash 2.71"
Previous message: Raphael Marichez: "[ GLSA 200708-13 ] BIND: Weak random number generation"
Next in thread: superfreak(at)freestart.hu: "Re: Multiple vulnerabilities in rFactor 1.250"
Maybe reply: superfreak(at)freestart.hu: "Re: Multiple vulnerabilities in rFactor 1.250"
Maybe reply: babutski(at)gmail.com: "Re: Multiple vulnerabilities in rFactor 1.250"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Sun Oct 28 2007 - 06:12:36 EDT