#######################################################################

                             Luigi Auriemma

Application:  TrackMania Nations Forever
              TrackMania United Forever
              http://www.trackmania.com
              (it's possible that also other old games like Sunrise and
              Original are vulnerables but they have not been tested)
Versions:     <= 2.11.11 (and beta 2.11.19)
Platforms:    Windows
Bug:          termination due to unallocable memory
Exploitation: remote, versus clients (in-game from another client)
Date:         04 Aug 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


TrackMania is a great series of racing games developed by Nadeo
(http://www.nadeo.com) with incredible tracks and a particular
gameplay.
The series is very popular due to the releasing of the free full game
TrackMania Nations and due to the completely multiplayer-oriented
nature of the games.


#######################################################################

======
2) Bug
======


Trackmania uses the HTTP protocol for doing various things like
communicating with the centralized server (ad_init.php) and for
allowing the clients to download third party resources (skins, tracks
and so on).

If, in reply to a GET request, the HTTP server returns a Content-Length
value too big for allocating that amount of memory the client
terminates immediately due to a "ProgramMemoryDepletion catched:"
error.

The only way I have found to exploit this vulnerability is through a
particular feature of the game called "locators" used by the clients
(I'm not aware of ways to force the server to use the HTTP protocol).

Practically a player can customize the skin of the own car and even
modifying its 3d model and all these custom skins are automatically
exchanged between all the players inside the server in which they play
through two ways in the following order:
- URL locators
- peer2peer protocol

The URL locators are the first to be used and are just http urls sent
by the clients which specify a website from which can be downloaded the
skins they use without wasting the bandwidth and the resources of the
game with the peer2peer protocol.

So if an attacker joins a server specifying a locator (a file with an
additional LOC extension in the same folder of his skin), all the other
clients will automatically connect to the provided URL for downloading
the new skin and they will terminate immediately due to the
"Content-Length" bug explained before.

The usage of the locators and the download of the skins is enabled by
default and it's also a very used feature just due to the particular
nature of the game where the painting of the vehicles and their
customization is almost a necessary step (and the website
http://www.trackmania-carpark.com confirms this tendency).


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/onlywebs.zip
http://aluigi.org/poc/tmlocdos.zip

- copy tmlocdos_skin.zip and tmlocdos_skin.zip.loc in the folder
  %USERPROFILE%/My Documents/Trackmania/Skins/Vehicles/StadiumCar

- edit tmlocdos_skin.zip.loc substituiting the example URL in it with a
  valid one, for example if the test is performed in LAN it's enough to
  substituite SERVER with 192.168.0.1 or any other IP address assigned
  to the own machine which will be contacted by the other players

- launch the onlywebs tool with the following command:
  onlywebs.exe -x tmlocdos.dat

- launch the game, go in the Profile and select the tmlocdos_skin as
  skin of the own vehicle

- join the server and after some seconds all the clients which have
  tried to download the skin from the provided locator (where is
  running onlywebs which will display all their connections) will start
  to disconnect automatically (terminated)


#######################################################################

======
4) Fix
======


No fix.

A work-around is the disabling of the "Enable locators" switch in the
"Advanced Settings->PeerToPeer" section of the configuration of the
launcher.


#######################################################################