Remote denial of service attacks are possible against the server and connected clients of Race Driver versions 1.20 and below when a server receives a message packet with a length identifier of 0.
d6c6c91f1ccc1e4dd638f154d4b57072248074696439af33a855eaa16a306ebe
#######################################################################
Luigi Auriemma
Application: http://www.codemasters.com/tocaracedriver/
Versions: <= 1.20
Platforms: Windows
Bugs: various crashs and spoofed messages
Risk: medium
Exploitation: remote, versus server and attached clients
Date: 08 June 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Race Driver is a great and funny driving game developed by Codemasters
and released in March 2003.
Actually this game is no longer supported due to the release of Race
Driver 2 in April 2004.
#######################################################################
=======
2) Bugs
=======
Important note: the attacker MUST have access to the server (so if the
server is protected by password the attacker must know it) and the
bugs can be exploited ONLY when the server is in the lobby stage
(openplaying) that is the only moment when players can join.
--------------
A] Multi crash
--------------
If a server receives a message packet with a length identifier of 0
it will crash immediately after the access to a NULL pointer.
All the attached clients will crash too.
-----------------------
B] Server disconnection
-----------------------
A malformed packet can stop the remote match in a couple of seconds.
-------------------
C] Spoofed messages
-------------------
The communication protocol used by the game permits to send messages
to the server without to be really in the match and with the other
players in the server as their sources.
In fact each player is identified by an ID (for example the admin as
ever ID 0) and this value can be customized in the message packet.
Very boring is the messages flooding attack during the race... moreover
for the server's bandwidth.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/rdboom.zip
#######################################################################
======
4) Fix
======
No fix.
Unfortunately the game is no longer supported.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed