#######################################################################

                             Luigi Auriemma

Application:  netKar
              http://www.netkar-pro.com
Versions:     <= 1.1 (server 1.0.3)
              update: also version 1.2.0 is vulnerable
Platforms:    Windows
Bugs:         A] buffer-overflow
              B] NULL pointer
Exploitation: remote, versus server
Date:         13 Apr 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


netKar is an extreme driving simulation that acts also as engine for
some promotional games like Marangoni Driving Simulator, Singtel Race
Simulator and Abarth 500.
It's also very played online where are even organized sponsored
challenges like http://abarth.mtv.it


#######################################################################

=======
2) Bugs
=======

------------------
A] buffer-overflow
------------------

The server is affected by a stack based buffer-overflow which happens
during the building of the following string when a player joins:

  sprintf(stack_buffer, "JOIN,%s,%d,%s,%s,%s,%s",
    username,
    racenumber,
    team,
    model,
    account,
    country);


---------------
B] NULL pointer
---------------

The server creates a new nkuser file in the "server/users/" folder when
a new player joins.
Such file has the filename composed by the account name sent by the
client pluse the "nkuser" extension and its automatically created if
doesn't exists like in the following code:

  fd = fopen(account_nkuser, "rt");
  if(!fd) {
      fd = fopen(account_nkuser, "wt");
      fprintf(fd, "%s\n", account_name);
  }
  fclose(fd);

The problem is that the file descriptor obtained by the creation of the
file is not controlled and so the subsequent fprintf operation causes
the crash of the server due to the access to the NULL pointer.

Note that is not possible to remove/bypass the appending of the
"nkuser" extension for exploiting the directory traversal
vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/netkarbof.zip


#######################################################################

======
4) Fix
======


No fix.


#######################################################################