Denial of Service in Ratbag's game engine

• Previous message: Eric McCarty: "RE: Another Low Blow From Microsoft: MBSA Failure!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 11 Feb 2004 22:07:09 +0000
To: bugtraq@securityfocus.com

#######################################################################

                             Luigi Auriemma

Application: Game engine and games developed by Ratbag
              http://www.ratbaggames.com
Games/Ver: - Dirt Track Racing <= 1.03
              - Dirt Track Racing Australia
              - Leadfoot
              - Dirt Track Racing Sprint Cars <= 1.01
              - Dirt Track Racing 2
              - World of Outlaws Sprint Cars
Platforms: Windows
Bug: CPU at 100%, match freezed
Risk: medium/high
Exploitation: remote, versus server
Date: 11 Feb 2004
Author: Luigi Auriemma
              e-mail: aluigi@altervista.org
              web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Ratbag is a software house enough famous in the gaming scene for its
racing games based on "dirty" racing sports.
Just its most famous game Dirt Track Racing in fact has winned some
awards in the past.

#######################################################################

======
2) Bug
======

The bug is a freezing of the server (CPU up to 100%) caused by the
value identifying the length of the data.
This value is the first 16 bit number that is located at the beginning
of each data block, it is read by the server to know how many bytes
must be read and to calculate the amount of remaining data to receive
from the socket to complete the data block.

The problem is located just in the management of the sockets in fact
the Ratbag engine uses TCP connections on non-blocked sockets so
everytime that there are remaining bytes to read the game will do an
infinite check on the socket to know if are arrived new data.

So for example if an attacker uses the value 3 but sends only 2 bytes,
the remaining byte will cause the infinite loop because naturally he
will stay connected and will never send this last byte.

#######################################################################

===========
3) The Code
===========

   http://aluigi.altervista.org/poc/ratbagcpu.zip

#######################################################################

======
4) Fix
======

No fix.
No reply to my signalations.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org

• Previous message: Eric McCarty: "RE: Another Low Blow From Microsoft: MBSA Failure!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]