|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 3030 CVE : CVE-2007-4426 CVE : CVE-2007-4425 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Available : Yes Credit : Luigi Auriemma Published : 21.08.2007
Advisory Content : ####################################################################### Luigi Auriemma Application: Live for Speed http://www.lfs.net Versions: <= 0.5X10 Platforms: Windows Bugs: A] nickname buffer-overflow B] partial track buffer-overflow C] NULL pointer access in internet/hidden S1/S2 servers D] memcpy() NULL pointer in internet/hidden S1/S2 servers Exploitation: remote, versus server A] demo/S1/S2 in-game B] demo/S1/S2 in-game C] S1/S2 (internet/hidden) D] S1/S2 (internet/hidden) Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Live for Speed (LFS) is one of the most known and cool car racing simulators available since you can do a lot of things: races, autocross, drifting, drag races and a parking too. ####################################################################### ======= 2) Bugs ======= --------------------------- A] nickname buffer-overflow --------------------------- A buffer-overflow vulnerability is located in the portion of code which handles the client's nickname from packets with ID 3. This packet must contain the following NULL terminated strings: 24 bytes for the nickname 8 bytes for the car's plate 16 bytes for other data 16 bytes for the helmet For exploiting the bug it's enough to set a nickname longer than its needed size overwriting the other fields after it in the packet. -------------------------------- B] partial track buffer-overflow -------------------------------- Another buffer-overflow is exploitable through the packets with ID 10 but this time doesn't seem possible to use it for executing remote code because the return address is overwritten by a fixed string of the server. In short when the user requests a track which is not available on the host, the server calls: sprintf(buff, "%s is not enabled on this host", client_track); using a destination buffer enough big to avoid the controlling of the return address but not enough for avoiding a crash. ------------------------------------------------------- C] NULL pointer access in internet/hidden S1/S2 servers ------------------------------------------------------- The S1 and S2 servers which run in internet (so visible on the master server) or hidden mode are vulnerable to a crash attack caused by the access to a NULL pointer. The problem is exploitable through a packet containing a byte 0x00 at the data offset 23 of the pre-login packet with ID 3. demo and LAN servers are not vulnerable. --------------------------------------------------------- D] memcpy() NULL pointer in internet/hidden S1/S2 servers --------------------------------------------------------- The S1 and S2 servers which run in internet (so visible on the master server) or hidden mode are vulnerable to a crash attack caused by the calling of memcpy() with a NULL source (in reality it's NULL + 12). The problem seems caused by the absence of one or more needed strings in the pre-login packet with ID 5. demo and LAN servers are not vulnerable. Resuming: Both the bugs A and B are in-game so the attacker must have access to the server like knowing its password if it's protected or being not banned. Bugs C and D instead work versus any server except demo and LAN servers and are not in-game so any attacker can crash any server, password protected too. ####################################################################### =========== 3) The Code =========== with the following tool the bugs A and B can be tested only versus the demo server: http://aluigi.org/fakep/lfsfp.zip ####################################################################### ====== 4) Fix ====== The only thing that the developers have been able to tell me is that the bugs will be fixed in Patch Y (yes I have asked for a release date but they don't know it)... that's really stupid since a quick fix was the best choice moreover considering the auto-patching system of the game. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |