####################################################################### Luigi Auriemma Application: TrackMania Nations Forever TrackMania United Forever http://www.trackmania.com http://www.tm-forum.com/viewtopic.php?f=28&t=14203 (it's possible that also other old games like Sunrise and Original are vulnerables but they have not been tested) Versions: dedicated server <= v2009-08-01 game (which acts as client and server) <= 2.11.11 game (beta) <= 2.11.19 Platforms: Windows and Linux Bugs: A] unbannable clients B] bell bug (unfiltered chars) Exploitation: remote, versus server (in-game) Date: 07 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== TrackMania is a great series of racing games developed by Nadeo (http://www.nadeo.com) with incredible tracks and a particular gameplay. The series is very popular due to the releasing of the free full game TrackMania Nations and due to the completely multiplayer-oriented nature of the games. ####################################################################### ======= 2) Bugs ======= --------------------- A] unbannable clients --------------------- If a client uses an empty nickname (0 bytes long), the server automatically bans him with the reason "internal checks failed for ''", this is probably a security measure to avoid some problems caused by these null names. The check is simply performed on the length of the string specified by the client which is composed by a 32 bit number containing the size of the string followed by the sequence of chars. It's enough to specify a "string size" major than zero and with the string containing zeroes (or at least the first byte) to bypass the check used on the server. The effects for the client are very interesting: - anonymous, the IP is not visible and not logged - unkickable, cannot be kicked - unbannable, cannot be banned - unvotable, cannot be voted by other players for any of the above operations So an user with such malformed nickname can have all the advantages specified before (for example for being anonymous during an attack versus a vulnerable server or to avoid of being tracked by the ban of non-vulnerable one) but is not possible to use this bug for bypassing a pre-existent ban. ------------------------------ B] bell bug (unfiltered chars) ------------------------------ The output displayed on the console of the dedicated server is not filtered so the nickname supplied by the client is showed as is with the only limitation of the size of max 255 bytes. Although not much effective, it allows some possible harmless or annoying effects like: - bell bug where is possible to temporary freeze the system through a nickname composed by bell chars (byte 0x07), anyway seems that only the usage of the system is slowed while the server seems to continue to work enough normally (the test was made quickly with a short malformed nickname). only the Windows server has this problem - possible corruption of the output in the console where an user could add fake parts of the logs... something completely harmless and useless Note that the XML-RPC protocol used in the server filters the < and > chars (showing their html encoded versions < and >) so it's not possible to corrupt the XML syntax of the remote administrators but in my tests has been verified a problem with Servermania (0.98) which is the most used XML-RPC client for controlling the TrackMania servers remotely and it's not able to handle the invalid chars inside the XML stream (like 0x01 or 0x07 and so on) causing it's immediate disconnection from the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/tmbellban.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################