[NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Race Driver Multiple Vulnerabilities (Broadcast Format String,
Buffer-Overflow)
------------------------------------------------------------------------

SUMMARY

<http://www.codemasters.com> Race Driver is "a racing game that allow the
player to feel like a racing driver".

Lack of length and content checking allows attackers to cause the program
to trigger inside the program a format string vulnerable and various
buffer overflows, which in turn can be used to cause the Race Driver to
execute arbitrary.

DETAILS

Vulnerable Systems:
* Race Driver version 1.20

Race Driver uses incorrectly the sprintf() function for building different
types of text strings usually used for the visualization of the data. The
places where this bad usage of sprintf() can be exploited are at least 2:
the public chat hosted on the encrypted IRC server peerchat.gamespy.com
and the in-game server browser.

The public chat is a place used by Race Driver while the users wait for a
free server to join. The users automatically join it when they choose to
play on Internet from the Network menu... it is an useless but forced
stage. Other than the messages in the channel the game supports also the
private messages (whispers) so an attacker can decide to attack a specific
user or the entire users in the room.

The in-game server browser instead is where are showed and ordered the
on-line servers through the informations received in their replies.

The sprintf() function is affected by two bugs: a format string and a
buffer-overflow caused by text strings of 264 chars.

Proof of Concept:
For testing the bugs through the chat is enough to use the same game or an
IRC client with a Peerchat proxy. The example chat messages (or also
nicknames) for exploiting the bugs are the following:

%n%n%n

and

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaRETA

The raw names of the channels used by Race Driver are: #GPG!511 (the
main), #GPG!510, #GPG!508, #GPG!507, #GPG!506, #GPG!509, #GPG!513,
#GPG!512, #GPG!485, #GPG!486 and (for some milliseconds) #GSP!racedriver

For testing the bugs through a malicious server you need only to host a
game with the name %n%n%n.

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma .
The original article can be found at:
<http://aluigi.altervista.org/adv/rdrum-adv.txt>
http://aluigi.altervista.org/adv/rdrum-adv.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.