SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Xpand Rally Vendors:   Techland
Xpand Rally Memory Allocation Error Lets Remote Users Deny Service
SecurityTracker Alert ID:  1013043
SecurityTracker URL:  http://securitytracker.com/id/1013043
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 31 2005
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 1.0.0.0
Description:   Luigi Auriemma reported a vulnerability in Xpand Rally. A remote user can cause the game server or client to crash.

A remote user can send a specially crafted packet to cause an excessive amount of memory to be allocated, triggering a malloc() failure and causing the target application to crash. A remote user can cause a target game server to crash. A remote game server that is visible in the master server list can also cause a target client to crash.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/xprallyboom.zip

Impact:   A remote user can cause the target game server to crash.

A malicious game server can cause the target game client to crash.

Solution:   The vendor has released a fixed version (1.1.0.0), available at:

http://www.xpandrally.com/en/show.php?006

Vendor URL:  www.xpandrally.com/ (Links to External Site)
Cause:   Exception handling error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Broadcast crash in Xpand Rally 1.0.0.0



#######################################################################

                             Luigi Auriemma

Application:  Xpand Rally
              http://www.xpandrally.com
Versions:     1.0.0.0
Platforms:    Windows
Bug:          reading and writing on unallocated memory (crash)
Exploitation: remote, versus server and clients (broadcast)
Date:         30 Jan 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Xpand Rally is the recent rally game developed by Techland
(http://www.techland.pl) and released in September 2004.


#######################################################################

======
2) Bug
======


The problem is caused by an unchecked memory allocation controlled by
the attacker that can decide the exact amount of data to allocate
through a 32 bits number in his packets.

If the memory to allocate is too big the malloc() function will fail
and no instructions will check it so the game will try to write into a
bad memory zone (0x00000000)

Instead if the number is enough big but can be allocated, memcpy() will
fail because will try to read the unallocated memory after the packet's
data.

Naturally also clients are affected and a malicious server visible in
the master server list is able to passively crash any vulnerable client
in the world.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/xprallyboom.zip


#######################################################################

======
4) Fix
======


Version 1.1.0.0.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC