####################################################################### Luigi Auriemma Application: TrackMania Nations Forever TrackMania United Forever http://www.trackmania.com http://www.tm-forum.com/viewtopic.php?f=28&t=14203 (it's possible that also other old games like Sunrise and Original are vulnerables but they have not been tested) Versions: dedicated server <= v2009-05-25 game (which acts as both client and server) <= 2.11.11 game (beta) <= 2.11.19 Platforms: Windows and Linux Bugs: A] server freeze caused by partial content B] Corrupted ReadString termination C] ReadString heap overflow Exploitation: remote, versus server Date: 27 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== TrackMania is a great series of racing games developed by Nadeo (http://www.nadeo.com) with incredible tracks and a particular gameplay. The series is very popular due to the releasing of the free full game TrackMania Nations and due to the completely multiplayer-oriented nature of the games. ####################################################################### ======= 2) Bugs ======= ------------------------------------------ A] server freeze caused by partial content ------------------------------------------ The in-game packets used in TrackMania are composed by various blocks of data compressed with LZO. The problem is that the function which parses the data blocks is constituited by a loop which terminates only when it finds the final 0xff marker at the end of the complete block (with the exact format expected by the server) and so if an attacker doesn't send this delimiter or sends a partial data block the server remains freezed with CPU at 100%. ----------------------------------- B] Corrupted ReadString termination ----------------------------------- The in-game packets use various string fields composed by a 32 bit number which specifies the size of the string which follows it. The ReadString function used in the server gets this 32 bit number and tries to allocate that amount of memory plus others 1 and 4 bytes for then copying the string. If the number obtained by this sum is major than 0xffffffec (-20) or the requested memory can't be allocated because too big the game raises an exception and the server terminates immediately (INT3). Although the strings with this particular format are used also in other pre-join packets, the bugged ReadString function seems used only for the in-game ones. --------------------------- C] ReadString heap overflow --------------------------- As said before, ReadString sums 5 to the number of bytes specified in the string field so if the attacker uses a number between -5 (0xfffffffb) and -1 (0xffffffff) he can bypass the 0xffffffec check and that small amount memory (between 0 and 4) will be fully allocated. When the server will perform the copying of the string it will try to copy the original huge amount of bytes in the new small buffer. Anyway in my tests wasn't possible to have control of the registers for executing code (although I can't exclude it at all). All the bugs are exploitable in-game but I can't exclude the possibility of other pre-join ways, so if the server is protected by password the attacker needs to know the keyword. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/tm4never.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################