Clients buffer-overflow in Live for Speed 0.5X10

2007.10.16
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Live for Speed http://www.lfs.net Versions: <= 0.5X10 Platforms: Windows Bug: client buffer-overflow during skins handling Exploitation: remote, versus clients (the attacker can be a malicious client or the same server) Date: 13 Oct 2007 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Live for Speed (LFS) is one of the most known and cool car racing simulators available and allows to do a lot of things: races, autocross, drifting, drag races, demolition derby, knock out and more. ####################################################################### ====== 2) Bug ====== Live for Speed allows the players to use different skins for their cars, which can be those available by default or just new skins in DDS format created by the same users. When a player, after having joined the server, decides to enter on the track, a packet with all the informations about his car (like setup, colors and skin) is sent to the server which forwards some of these data to all the other connected clients. The field which contains the name of the skin in use by the player is a field of 16 bytes which is read by the clients and concatenated to the name of his car for the subsequent loading of the needed DDS file from the local skins folders. The operation is made without the proper checks resulting in a stack buffer-overflow. So, in short, any client which can join a server and can race on it (not as spectator) can also be able to exploit this vulnerability for crashing or possibly executing malicious code (the maximum number of allowed chars is 48) on all the clients connected to the server, except himself. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/lfscbof.zip ####################################################################### ====== 4) Fix ====== No fix. Developers have not been contacted since still exist (not patched yet) other buffer overflow vulnerabilities which affect the clients locally found by my friend n00b and reported to them at the end of July. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top