Xpand Rally Memory Allocation Error Lets Remote Users Deny Service
|
|
SecurityTracker Alert ID: 1013043 |
|
SecurityTracker URL: http://securitytracker.com/id/1013043
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 31 2005
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): 1.0.0.0
|
Description:
Luigi Auriemma reported a vulnerability in Xpand Rally. A remote user can cause the game server or client to crash.
A remote user can send a specially crafted packet to cause an excessive amount of memory to be allocated, triggering a malloc() failure and causing the target application to crash. A remote user can cause a target game server to crash. A remote game server that is visible in the master server list can also cause a target client to crash.
A demonstration exploit is available at:
http://aluigi.altervista.org/poc/xprallyboom.zip
|
Impact:
A remote user can cause the target game server to crash.
A malicious game server can cause the target game client to crash.
|
Solution:
The vendor has released a fixed version (1.1.0.0), available at:
http://www.xpandrally.com/en/show.php?006
|
Vendor URL: www.xpandrally.com/ (Links to External Site)
|
Cause:
Exception handling error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 30 Jan 2005 20:26:11 +0000
Subject: Broadcast crash in Xpand Rally 1.0.0.0
|
#######################################################################
Luigi Auriemma
Application: Xpand Rally
http://www.xpandrally.com
Versions: 1.0.0.0
Platforms: Windows
Bug: reading and writing on unallocated memory (crash)
Exploitation: remote, versus server and clients (broadcast)
Date: 30 Jan 2005
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Xpand Rally is the recent rally game developed by Techland
(http://www.techland.pl) and released in September 2004.
#######################################################################
======
2) Bug
======
The problem is caused by an unchecked memory allocation controlled by
the attacker that can decide the exact amount of data to allocate
through a 32 bits number in his packets.
If the memory to allocate is too big the malloc() function will fail
and no instructions will check it so the game will try to write into a
bad memory zone (0x00000000)
Instead if the number is enough big but can be allocated, memcpy() will
fail because will try to read the unallocated memory after the packet's
data.
Naturally also clients are affected and a malicious server visible in
the master server list is able to passively crash any vulnerable client
in the world.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/xprallyboom.zip
#######################################################################
======
4) Fix
======
Version 1.1.0.0.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
|
|
