#######################################################################

                             Luigi Auriemma

Applications: games developed by SimBin Development Team
              http://www.simbin.se
Versions:     GTR - FIA GT Racing Game                       <= 1.5.0.0
                http://www.gtr-game.com
              GT Legends                                     <= 1.1.0.0
                http://www.gt-legends.com
              GTR 2                                              <= 1.1
                http://www.gtr-game.com
              RACE - The WTCC Game                    <= 1.0 (0.6.3.0?)
                http://www.race-game.org
Platforms:    Windows
Bug:          clients disconnection
Exploitation: remote, versus clients
Date:         21 Feb 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Simbin is a well known software house specialized in the developing of
racing games deeply devopted to extreme simulation.
All their games are very recent, GTR was released in November 2004
while Race WTCC exactly two years later.


#######################################################################

======
2) Bug
======


The problem is very simple, an UDP packet of zero bytes (empty) sent to
the main port of the server (usually 48942 for Race WTCC and 34297 for
the other games) forces the disconnection of all the clients connected
to it.
The attacker needs only to send one packet (spoofing possible) and the
clients in the game will be immediately kicked with the message "Lost
connection with the Host".
Then they can re-join again... but can be re-kicked in the same way
too.


#######################################################################

===========
3) The Code
===========


- get udpsz from here:

    http://aluigi.org/testz/udpsz.zip

- launch it versus the server:

    udpsz SERVER 34297 0         for GTR, GTR2 and GT Legends
    udpsz SERVER 48942 0         for Race WTCC

- check what happened to the clients connected to it


#######################################################################

======
4) Fix
======


No fix.
No reply received from the developers.


#######################################################################