Multiple vulnerabilities in rFactor 1.250
#######################################################################
Luigi Auriemma
Application: rFactor
http://www.rfactor.net
Versions: <= 1.250
Platforms: Windows
Bugs: A] buffer-overflow
B] "Connection lost" crash
C] crash/possible code execution
D] port 34397 blocked
Exploitation: remote, versus server
Date: 18 Aug 2007
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
rFactor is a racing game deeply focused on simulation.
It's developed by Image Space Incorporated
(http://www.imagespaceinc.com) and has been released in August 2005.
#######################################################################
=======
2) Bugs
=======
The game server listens on 3 ports:
- UDP 34247 used for queries
- UDP 34347 used for game packets
- TCP 34447 used for login, messages, race and other informations
Anyway the last two ports are very similar not only because they use
the same game protocol but just because they seem to work with the same
functions too, in fact all the bugs below can be exploited versus both
with the possibility of spoofing the source IP address in case of the
UDP port.
Another important thing is that the vulnerabilities can be exploited
without joining the server, so no password or banning limitations.
------------------
A] buffer-overflow
------------------
This bug is not only the most dangerous of those I have found but it's
also the most interesting.
A buffer-overflow vulnerability is located in the function which
handles the packets with ID 0x80 or 0x88 but no return address is
overwritten, in fact the bug allows the modification of some buffers in
the server included the one containing its version.
For exploting the bug we need to query the server (UDP port 34297)
where will happen a second buffer-overflow caused by the creation of a
reply using the too long server's version set by the attacker.
This is the moment in which the return address will be overwritten.
--------------------------
B] "Connection lost" crash
--------------------------
A packet with ID 0x30 or 0x38 causes the crash of the server (read of
memory at offset 0x00000004) after the visualization of the error
message "Connection lost".
--------------------------------
C] crash/possible code execution
--------------------------------
Unfortunately I wasn't able to retrieve more details about this bug so
for the moment I prefer to classify it only as a Denial of Service.
Anyway through packets with ID 0x60 and 0x68 which contain data about
the player (like his nickname, his car and so on) is possible to
specify a 13 bit number (max 0x1ffb) which is used by the server to
copy this amount of bytes from the received packet into another buffer.
If this amount is too big we will crash the server due to the read
access to the unallocated memory after the packet, while if we use a
lower amount the server will close (crash silenty) without no warnings.
In my opinion this second effect could be caused by the overwriting of
the return address but in this moment I don't have proofs for
confirming it.
---------------------
D] port 34397 blocked
---------------------
Packets with ID 0x20 and 0x28 instead leads to a strange and unusual
effect on the server, in short after having received this packet its
UDP port 34397 seems to become blocked and so nobody can join and play
on the server.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/rfactox.zip
#######################################################################
======
4) Fix
======
The developers have said that will fix the bugs but there are no info
about the release date of the patch.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org