- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Live for Speed Clients Buffer Overflow
------------------------------------------------------------------------
SUMMARY
<http://www.lfs.net> Live for Speed (LFS) is "one of the most known and
cool car racing simulators available and allows to do a lot of things:
races, autocross, drifting, drag races, demolition derby, knock out and
more".
Client buffer-overflow during skins handling allows remote attacker (other
client or the server) to execute malicious code on the vulnerable system.
DETAILS
Vulnerable Systems:
* Live for Speed version 0.5X10
Live for Speed allows the players to use different skins for their cars,
which can be those available by default or just new skins in DDS format
created by the same users.
When a player, after having joined the server, decides to enter on the
track, a packet with all the informations about his car (like setup,
colors and skin) is sent to the server which forwards some of these data
to all the other connected clients.
The field which contains the name of the skin in use by the player is a
field of 16 bytes which is read by the clients and concatenated to the
name of his car for the subsequent loading of the needed DDS file from the
local skins folders. The operation is made without the proper checks
resulting in a stack buffer-overflow.
So, in short, any client which can join a server and can race on it (not
as spectator) can also be able to exploit this vulnerability for crashing
or possibly executing malicious code (the maximum number of allowed chars
is 48) on all the clients connected to the server, except himself.
Proof of Concept:
<http://aluigi.org/poc/lfscbof.zip> http://aluigi.org/poc/lfscbof.zip
Patch Availability:
No fix. Developers have not been contacted since still exist (not patched
yet) other buffer overflow vulnerabilities which affect the clients
locally.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/lfscbof-adv.txt>
http://aluigi.altervista.org/adv/lfscbof-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
No comments:
Post a Comment