####################################################################### Luigi Auriemma Application: rFactor http://www.rfactor.net Versions: <= 1.250 Platforms: Windows Bugs: A] buffer-overflow B] "Connection lost" crash C] crash/possible code execution D] port 34397 blocked Exploitation: remote, versus server Date: 18 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== rFactor is a racing game deeply focused on simulation. It's developed by Image Space Incorporated (http://www.imagespaceinc.com) and has been released in August 2005. ####################################################################### ======= 2) Bugs ======= The game server listens on 3 ports: - UDP 34247 used for queries - UDP 34347 used for game packets - TCP 34447 used for login, messages, race and other informations Anyway the last two ports are very similar not only because they use the same game protocol but just because they seem to work with the same functions too, in fact all the bugs below can be exploited versus both with the possibility of spoofing the source IP address in case of the UDP port. Another important thing is that the vulnerabilities can be exploited without joining the server, so no password or banning limitations. ------------------ A] buffer-overflow ------------------ This bug is not only the most dangerous of those I have found but it's also the most interesting. A buffer-overflow vulnerability is located in the function which handles the packets with ID 0x80 or 0x88 but no return address is overwritten, in fact the bug allows the modification of some buffers in the server included the one containing its version. For exploting the bug we need to query the server (UDP port 34297) where will happen a second buffer-overflow caused by the creation of a reply using the too long server's version set by the attacker. This is the moment in which the return address will be overwritten. -------------------------- B] "Connection lost" crash -------------------------- A packet with ID 0x30 or 0x38 causes the crash of the server (read of memory at offset 0x00000004) after the visualization of the error message "Connection lost". -------------------------------- C] crash/possible code execution -------------------------------- Unfortunately I wasn't able to retrieve more details about this bug so for the moment I prefer to classify it only as a Denial of Service. Anyway through packets with ID 0x60 and 0x68 which contain data about the player (like his nickname, his car and so on) is possible to specify a 13 bit number (max 0x1ffb) which is used by the server to copy this amount of bytes from the received packet into another buffer. If this amount is too big we will crash the server due to the read access to the unallocated memory after the packet, while if we use a lower amount the server will close (crash silenty) without no warnings. In my opinion this second effect could be caused by the overwriting of the return address but in this moment I don't have proofs for confirming it. --------------------- D] port 34397 blocked --------------------- Packets with ID 0x20 and 0x28 instead leads to a strange and unusual effect on the server, in short after having received this packet its UDP port 34397 seems to become blocked and so nobody can join and play on the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/rfactorx.zip ####################################################################### ====== 4) Fix ====== The developers have said that will fix the bugs but there are no info about the release date of the patch. UPDATE 25 Sep 2007 patch 1.255 available (anyway seems to be classified as not official) #######################################################################