what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

rfactox.txt

rfactox.txt
Posted Aug 20, 2007
Authored by Luigi Auriemma | Site aluigi.org

rFactor versions 1.250 and below suffer from buffer overflow and code execution vulnerabilities.

tags | advisory, overflow, vulnerability, code execution
SHA-256 | a9a01d0ca9d025f9d3c5e130dfa1d4697908ec4e38d14ea3a2b0bc476fe97278

rfactox.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: rFactor
http://www.rfactor.net
Versions: <= 1.250
Platforms: Windows
Bugs: A] buffer-overflow
B] "Connection lost" crash
C] crash/possible code execution
D] port 34397 blocked
Exploitation: remote, versus server
Date: 18 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


rFactor is a racing game deeply focused on simulation.
It's developed by Image Space Incorporated
(http://www.imagespaceinc.com) and has been released in August 2005.


#######################################################################

=======
2) Bugs
=======


The game server listens on 3 ports:
- UDP 34247 used for queries
- UDP 34347 used for game packets
- TCP 34447 used for login, messages, race and other informations

Anyway the last two ports are very similar not only because they use
the same game protocol but just because they seem to work with the same
functions too, in fact all the bugs below can be exploited versus both
with the possibility of spoofing the source IP address in case of the
UDP port.
Another important thing is that the vulnerabilities can be exploited
without joining the server, so no password or banning limitations.


------------------
A] buffer-overflow
------------------

This bug is not only the most dangerous of those I have found but it's
also the most interesting.
A buffer-overflow vulnerability is located in the function which
handles the packets with ID 0x80 or 0x88 but no return address is
overwritten, in fact the bug allows the modification of some buffers in
the server included the one containing its version.
For exploting the bug we need to query the server (UDP port 34297)
where will happen a second buffer-overflow caused by the creation of a
reply using the too long server's version set by the attacker.
This is the moment in which the return address will be overwritten.


--------------------------
B] "Connection lost" crash
--------------------------

A packet with ID 0x30 or 0x38 causes the crash of the server (read of
memory at offset 0x00000004) after the visualization of the error
message "Connection lost".


--------------------------------
C] crash/possible code execution
--------------------------------

Unfortunately I wasn't able to retrieve more details about this bug so
for the moment I prefer to classify it only as a Denial of Service.
Anyway through packets with ID 0x60 and 0x68 which contain data about
the player (like his nickname, his car and so on) is possible to
specify a 13 bit number (max 0x1ffb) which is used by the server to
copy this amount of bytes from the received packet into another buffer.
If this amount is too big we will crash the server due to the read
access to the unallocated memory after the packet, while if we use a
lower amount the server will close (crash silenty) without no warnings.
In my opinion this second effect could be caused by the overwriting of
the return address but in this moment I don't have proofs for
confirming it.


---------------------
D] port 34397 blocked
---------------------

Packets with ID 0x20 and 0x28 instead leads to a strange and unusual
effect on the server, in short after having received this packet its
UDP port 34397 seems to become blocked and so nobody can join and play
on the server.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/rfactox.zip


#######################################################################

======
4) Fix
======


The developers have said that will fix the bugs but there are no info
about the release date of the patch.


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close