Register | Forget Password | Login
Search :
SecurityReason

News

Search

SecurityAlert

About SecurityAlert

ExploitAlert

SecurityReason Research
WLB

WLB Database

Send to WLB

About WLB
RSS

News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP
Corporate

Contact

About us
Services

SecurePHP
Note

If you have found a vulnerability, please send to our SecurityAlert Database :
secalert()securityreason()com

Also if you have new ( 0-day ) exploit, please send to our ExploitAlert Archive :
exploit()securityreason()com
Details : SecurityAlert

  Topic : Multiple vulnerabilities in rFactor 1.250
  SecurityAlert : 3037
  CVE : CVE-2007-4445
  CVE : CVE-2007-4444
  SecurityRisk : High  alert  (About)
  Remote Exploit : Yes
  Local Exploit : Yes
  Exploit Given : No
  Credit : Luigi Auriemma
  Published : 22.08.2007

  Affected Software : rFactor <= 1.250



  Advisory Text :  

#######################################################################

Luigi Auriemma

Application: rFactor
http://www.rfactor.net
Versions: <= 1.250
Platforms: Windows
Bugs: A] buffer-overflow
B] "Connection lost" crash
C] crash/possible code execution
D] port 34397 blocked
Exploitation: remote, versus server
Date: 18 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

rFactor is a racing game deeply focused on simulation.
It's developed by Image Space Incorporated
(http://www.imagespaceinc.com) and has been released in August 2005.

#######################################################################

=======
2) Bugs
=======

The game server listens on 3 ports:
- UDP 34247 used for queries
- UDP 34347 used for game packets
- TCP 34447 used for login, messages, race and other informations

Anyway the last two ports are very similar not only because they use
the same game protocol but just because they seem to work with the same
functions too, in fact all the bugs below can be exploited versus both
with the possibility of spoofing the source IP address in case of the
UDP port.
Another important thing is that the vulnerabilities can be exploited
without joining the server, so no password or banning limitations.

------------------
A] buffer-overflow
------------------

This bug is not only the most dangerous of those I have found but it's
also the most interesting.
A buffer-overflow vulnerability is located in the function which
handles the packets with ID 0x80 or 0x88 but no return address is
overwritten, in fact the bug allows the modification of some buffers in
the server included the one containing its version.
For exploting the bug we need to query the server (UDP port 34297)
where will happen a second buffer-overflow caused by the creation of a
reply using the too long server's version set by the attacker.
This is the moment in which the return address will be overwritten.

--------------------------
B] "Connection lost" crash
--------------------------

A packet with ID 0x30 or 0x38 causes the crash of the server (read of
memory at offset 0x00000004) after the visualization of the error
message "Connection lost".

--------------------------------
C] crash/possible code execution
--------------------------------

Unfortunately I wasn't able to retrieve more details about this bug so
for the moment I prefer to classify it only as a Denial of Service.
Anyway through packets with ID 0x60 and 0x68 which contain data about
the player (like his nickname, his car and so on) is possible to
specify a 13 bit number (max 0x1ffb) which is used by the server to
copy this amount of bytes from the received packet into another buffer.
If this amount is too big we will crash the server due to the read
access to the unallocated memory after the packet, while if we use a
lower amount the server will close (crash silenty) without no warnings.
In my opinion this second effect could be caused by the overwriting of
the return address but in this moment I don't have proofs for
confirming it.

---------------------
D] port 34397 blocked
---------------------

Packets with ID 0x20 and 0x28 instead leads to a strange and unusual
effect on the server, in short after having received this packet its
UDP port 34397 seems to become blocked and so nobody can join and play
on the server.

#######################################################################

===========
3) The Code
===========

http://aluigi.org/poc/rfactox.zip

#######################################################################

======
4) Fix
======

The developers have said that will fix the bugs but there are no info
about the release date of the patch.

#######################################################################

---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org



  Feedback :

If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com.
Alert

*BSD libc (strfmon) Multiple vulnerabilities

high- 2008-03-25

Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems.
Apache rss

» Apache Tomcat information
   disclosure

» Apache Tomcat <=
   6.0.18 UTF8 Directory
   Traversal Vulnerability

» Apache Tomcat information
   disclosure vulnerability

» Apache Tomcat XSS
   vulnerability
PHP rss

» PHP 5.2.6 (error_log)
   safe_mode bypass

» PHP 5.2.6 chdir(),ftok()
   (standard ext) safe_mode
   bypass

» PHP 5.2.6 posix_access()
   (posix ext) safe_mode
   bypass

» PHP 5.2.5 and prior :
   *printf() functions
   Integer Overflow
Copyright © SecurityReason. All Rights Reserved.