Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:6321
HistoryJun 09, 2004 - 12:00 a.m.

Various crashs and fun in Race Driver 1.20

2004-06-0900:00:00
vulners.com
12
JSON

#######################################################################

                         Luigi Auriemma

Application: http://www.codemasters.com/tocaracedriver/
Versions: <= 1.20
Platforms: Windows
Bugs: various crashs and spoofed messages
Risk: medium
Exploitation: remote, versus server and attached clients
Date: 08 June 2004
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Race Driver is a great and funny driving game developed by Codemasters
and released in March 2003.
Actually this game is no longer supported due to the release of Race
Driver 2 in April 2004.

#######################################################################

=======
2) Bugs

Important note: the attacker MUST have access to the server (so if the
server is protected by password the attacker must know it) and the
bugs can be exploited ONLY when the server is in the lobby stage
(openplaying) that is the only moment when players can join.

A] Multi crash

If a server receives a message packet with a length identifier of 0
it will crash immediately after the access to a NULL pointer.
All the attached clients will crash too.

B] Server disconnection

A malformed packet can stop the remote match in a couple of seconds.

C] Spoofed messages

The communication protocol used by the game permits to send messages
to the server without to be really in the match and with the other
players in the server as their sources.
In fact each player is identified by an ID (for example the admin as
ever ID 0) and this value can be customized in the message packet.

Very boring is the messages flooding attack during the race… moreover
for the server's bandwidth.

#######################################################################

===========
3) The Code

http://aluigi.altervista.org/poc/rdboom.zip

#######################################################################

======
4) Fix

No fix.
Unfortunately the game is no longer supported.

#######################################################################

Luigi Auriemma
http://aluigi.altervista.org

JSON