[NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow)

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Race Driver Multiple Vulnerabilities (Broadcast Format String, 
Buffer-Overflow)
------------------------------------------------------------------------


SUMMARY

 <http://www.codemasters.com> Race Driver is "a racing game that allow the 
player to feel like a racing driver".

Lack of length and content checking allows attackers to cause the program 
to trigger inside the program a format string vulnerable and various 
buffer overflows, which in turn can be used to cause the Race Driver to 
execute arbitrary.

DETAILS

Vulnerable Systems:
 * Race Driver version 1.20

Race Driver uses incorrectly the sprintf() function for building different 
types of text strings usually used for the visualization of the data. The 
places where this bad usage of sprintf() can be exploited are at least 2: 
the public chat hosted on the encrypted IRC server peerchat.gamespy.com 
and the in-game server browser.

The public chat is a place used by Race Driver while the users wait for a 
free server to join. The users automatically join it when they choose to 
play on Internet from the Network menu... it is an useless but forced 
stage. Other than the messages in the channel the game supports also the 
private messages (whispers) so an attacker can decide to attack a specific 
user or the entire users in the room.

The in-game server browser instead is where are showed and ordered the 
on-line servers through the informations received in their replies.

The sprintf() function is affected by two bugs: a format string and a 
buffer-overflow caused by text strings of 264 chars.

Proof of Concept:
For testing the bugs through the chat is enough to use the same game or an 
IRC client with a Peerchat proxy. The example chat messages (or also 
nicknames) for exploiting the bugs are the following:

%n%n%n

and

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaRETA

The raw names of the channels used by Race Driver are: #GPG!511 (the 
main), #GPG!510, #GPG!508, #GPG!507, #GPG!506, #GPG!509, #GPG!513, 
#GPG!512, #GPG!485, #GPG!486 and (for some milliseconds) #GSP!racedriver

For testing the bugs through a malicious server you need only to host a 
game with the name %n%n%n.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@xxxxxxxxxxxxx> Luigi 
Auriemma .
The original article can be found at:  
<http://aluigi.altervista.org/adv/rdrum-adv.txt> 
http://aluigi.altervista.org/adv/rdrum-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.