SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Race Driver Vendors:   Codemasters Software Company Limited
Race Driver Game Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1010432
SecurityTracker URL:  http://securitytracker.com/id/1010432
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 8 2004
Impact:   Denial of service via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.20 and prior versions
Description:   Luigi Auriemma reported a vulnerability in the Race Driver game software. A remote authenticated user can spoof messages from the application and cause the application to crash.

It is reported that a remote authenticated user can send a message packet with a length identifier of 0 to cause the game service and all attached clients to crash.

It is also reported that a remote authenticated user can send a malformed packet to cause the game to stop.

It is also reported that a remote authenticated user can spoof messages that will appear to come from an arbitrary game user.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/rdboom.zip

Impact:   A remote authenticated user can cause the game service and all connected clients to crash.

A remote authenticated user can spoof messages.

Solution:   No solution was available at the time of this entry.

The report indicates that the application is no longer supported.

Vendor URL:  www.codemasters.com/tocaracedriver/ (Links to External Site)
Cause:   Boundary error, Exception handling error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Various crashs and fun in Race Driver 1.20



#######################################################################

                             Luigi Auriemma

Application:  http://www.codemasters.com/tocaracedriver/
Versions:     <= 1.20
Platforms:    Windows
Bugs:         various crashs and spoofed messages
Risk:         medium
Exploitation: remote, versus server and attached clients
Date:         08 June 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Race Driver is a great and funny driving game developed by Codemasters
and released in March 2003.
Actually this game is no longer supported due to the release of Race
Driver 2 in April 2004.


#######################################################################

=======
2) Bugs
=======


Important note: the attacker MUST have access to the server (so if the
  server is protected by password the attacker must know it) and the
  bugs can be exploited ONLY when the server is in the lobby stage
  (openplaying) that is the only moment when players can join.

--------------
A] Multi crash
--------------

If a server receives a message packet with a length identifier of 0
it will crash immediately after the access to a NULL pointer.
All the attached clients will crash too.


-----------------------
B] Server disconnection
-----------------------

A malformed packet can stop the remote match in a couple of seconds.


-------------------
C] Spoofed messages
-------------------

The communication protocol used by the game permits to send messages
to the server without to be really in the match and with the other
players in the server as their sources.
In fact each player is identified by an ID (for example the admin as
ever ID 0) and this value can be customized in the message packet.

Very boring is the messages flooding attack during the race... moreover
for the server's bandwidth.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/rdboom.zip


#######################################################################

======
4) Fix
======


No fix.
Unfortunately the game is no longer supported.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC