Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buff

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow)
Date: 20 Jul 2005 16:49:20 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Race Driver Multiple Vulnerabilities (Broadcast Format String, 
Buffer-Overflow)
------------------------------------------------------------------------


SUMMARY

 <http://www.codemasters.com> Race Driver is "a racing game that allow the 
player to feel like a racing driver".

Lack of length and content checking allows attackers to cause the program 
to trigger inside the program a format string vulnerable and various 
buffer overflows, which in turn can be used to cause the Race Driver to 
execute arbitrary.

DETAILS

Vulnerable Systems:
 * Race Driver version 1.20

Race Driver uses incorrectly the sprintf() function for building different 
types of text strings usually used for the visualization of the data. The 
places where this bad usage of sprintf() can be exploited are at least 2: 
the public chat hosted on the encrypted IRC server peerchat.gamespy.com 
and the in-game server browser.

The public chat is a place used by Race Driver while the users wait for a 
free server to join. The users automatically join it when they choose to 
play on Internet from the Network menu... it is an useless but forced 
stage. Other than the messages in the channel the game supports also the 
private messages (whispers) so an attacker can decide to attack a specific 
user or the entire users in the room.

The in-game server browser instead is where are showed and ordered the 
on-line servers through the informations received in their replies.

The sprintf() function is affected by two bugs: a format string and a 
buffer-overflow caused by text strings of 264 chars.

Proof of Concept:
For testing the bugs through the chat is enough to use the same game or an 
IRC client with a Peerchat proxy. The example chat messages (or also 
nicknames) for exploiting the bugs are the following:

%n%n%n

and

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaRETA

The raw names of the channels used by Race Driver are: #GPG!511 (the 
main), #GPG!510, #GPG!508, #GPG!507, #GPG!506, #GPG!509, #GPG!513, 
#GPG!512, #GPG!485, #GPG!486 and (for some milliseconds) #GSP!racedriver

For testing the bugs through a malicious server you need only to host a 
game with the name %n%n%n.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma .
The original article can be found at:  
<http://aluigi.altervista.org/adv/rdrum-adv.txt> 
http://aluigi.altervista.org/adv/rdrum-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow), SecuriTeam <=
Previous by Date:  [NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks, SecuriTeam
Next by Date:  [NEWS] Cisco CallManager Multiple Vulnerabilities (DoS, Memory Leak, Buffer Overflow), SecuriTeam
Previous by Thread:  [NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks, SecuriTeam
Next by Thread:  [NEWS] Cisco CallManager Multiple Vulnerabilities (DoS, Memory Leak, Buffer Overflow), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]