#######################################################################
Luigi Auriemma
Application: Live for Speed
http://www.lfs.net
Versions: <= 0.5X10
Platforms: Windows
Bugs: A] nickname buffer-overflow
B] partial track buffer-overflow
C] NULL pointer access in internet/hidden S1/S2 servers
D] memcpy() NULL pointer in internet/hidden S1/S2 servers
Exploitation: remote, versus server
A] demo/S1/S2 in-game
B] demo/S1/S2 in-game
C] S1/S2 (internet/hidden)
D] S1/S2 (internet/hidden)
Date: 14 Aug 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
Live for Speed (LFS) is one of the most known and cool car racing
simulators available since you can do a lot of things: races,
autocross, drifting, drag races and a parking too.
#######################################################################
A buffer-overflow vulnerability is located in the portion of code which
handles the client's nickname from packets with ID 3.
This packet must contain the following NULL terminated strings:
24 bytes for the nickname
8 bytes for the car's plate
16 bytes for other data
16 bytes for the helmet
For exploiting the bug it's enough to set a nickname longer than its
needed size overwriting the other fields after it in the packet.
Another buffer-overflow is exploitable through the packets with ID 10
but this time doesn't seem possible to use it for executing remote
code because the return address is overwritten by a fixed string of the
server.
In short when the user requests a track which is not available on the
host, the server calls:
sprintf(buff, "%s is not enabled on this host", client_track);
using a destination buffer enough big to avoid the controlling of the
return address but not enough for avoiding a crash.
The S1 and S2 servers which run in internet (so visible on the master
server) or hidden mode are vulnerable to a crash attack caused by the
access to a NULL pointer.
The problem is exploitable through a packet containing a byte 0x00 at
the data offset 23 of the pre-login packet with ID 3.
demo and LAN servers are not vulnerable.
The S1 and S2 servers which run in internet (so visible on the master
server) or hidden mode are vulnerable to a crash attack caused by the
calling of memcpy() with a NULL source (in reality it's NULL + 12).
The problem seems caused by the absence of one or more needed strings
in the pre-login packet with ID 5.
demo and LAN servers are not vulnerable.
Resuming:
Both the bugs A and B are in-game so the attacker must have access to
the server like knowing its password if it's protected or being not
banned.
Bugs C and D instead work versus any server except demo and LAN servers
and are not in-game so any attacker can crash any server, password
protected too.
#######################################################################
with the following tool the bugs A and B can be tested only versus the
demo server:
http://aluigi.org/fakep/lfsfp.zip
#######################################################################
The only thing that the developers have been able to tell me is that
the bugs will be fixed in Patch Y (yes I have asked for a release date
but they don't know it)… that's really stupid since a quick fix was
the best choice moreover considering the auto-patching system of the
game.
#######################################################################
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/