Various game engines and games developed by Ratbag is vulnerable to a denial of service attack. Full analysis given.
0b1089fe129f3c8ed14504b82bf9fa212d6479c35297ebd93aed59986e66802d
#######################################################################
Luigi Auriemma
Application: Game engine and games developed by Ratbag
http://www.ratbaggames.com
Games/Ver: - Dirt Track Racing <= 1.03
- Dirt Track Racing Australia
- Leadfoot
- Dirt Track Racing Sprint Cars <= 1.01
- Dirt Track Racing 2
- World of Outlaws Sprint Cars
Platforms: Windows
Bug: CPU at 100%, match freezed
Risk: medium/high
Exploitation: remote, versus server
Date: 11 Feb 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Ratbag is a software house enough famous in the gaming scene for its
racing games based on "dirty" racing sports.
Just its most famous game Dirt Track Racing in fact has winned some
awards in the past.
#######################################################################
======
2) Bug
======
The bug is a freezing of the server (CPU up to 100%) caused by the
value identifying the length of the data.
This value is the first 16 bit number that is located at the beginning
of each data block, it is read by the server to know how many bytes
must be read and to calculate the amount of remaining data to receive
from the socket to complete the data block.
The problem is located just in the management of the sockets in fact
the Ratbag engine uses TCP connections on non-blocked sockets so
everytime that there are remaining bytes to read the game will do an
infinite check on the socket to know if are arrived new data.
So for example if an attacker uses the value 3 but sends only 2 bytes,
the remaining byte will cause the infinite loop because naturally he
will stay connected and will never send this last byte.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/ratbagcpu.zip
#######################################################################
======
4) Fix
======
No fix.
No reply to my signalations.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed