Live for Speed patch x s1/s2/demo local exploit's

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Well i best start to post these in the right section sorry guy's.This is a touchy subject for me as i actually brought the game.I know luigi had looking into this game a while ago,And decided i would take a little look.I tried reveres engineering the software and came up with nothing,So i turned my attention's to taking a look at the replay file's and uncovered a few exploit's with in lfs2.Ill post them here incase any one want's to take a look.I will just post the link to milw0rm it save's zipping them up.

mpr buffer over flow.
=============
http://www.milw0rm.com/exploits/4252

spr buffer over flow.
=============
http://www.milw0rm.com/exploits/4263

ply buffer over flow.
=============
http://www.milw0rm.com/exploits/4262

Still not patched..!!Also looking forward to reading luigi advisory on the bug's he found when they get made public.

aluigi · **Posted:** 14 Aug 2007 15:02

I think, but I'm not yet sure, I will release the LFS advisory and other two about another game and a library just today.
The developers have no longer recontacted me and seems that someone is already exploiting some bugs remotely in LFS as I have read on the LFS forum... the problem is that only I and the developers are aware of the details and the PoC of the bugs found by me so this is really strange.

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Lol luigi i noticed m8 i saw the post's on the forum's :D.It didn't take long did it for some one to recreate the bug.People are getting there server's hacked left right and center.Been a bad week or month even for the lfs2 developer's but all they need to do is use safer coding standard's.But i think they rushed the code.They seam to be more bothered about adding stuff to the game rather than fixing serious bug's.Shame really cost me 24 quid for the game.

I noticed that with your poc in the video on one occasion,the first one i think you where in control of the eip register,If any other of the register where affected you can bet that it's remotely exploitable.

aluigi · **Posted:** 14 Aug 2007 21:46

I think that LFS is a cool game and if you have a good racing wheel and a confortable armchair it's valid to buy, what is not good is that it's nature is the multiplayer and if this field is compromised it's no longer valid.

Personally the only thing I like to do with LFS is the parking ih ih ih

Oh about the PoC now you can test it by yourself, it's public

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Oh thank's luigi im going to take a look now.Oh luigi nice find would you mind me writing a exploit for this m8 giving credit's to you of course.?
Hey luigi im having problem's i've tried to sniff to find the packet's that is causing the over flow but i was unable to find it.Can you release any data about the packet's m8 i can't seam to sniff the packet on a local network and i've looked over the source code and couldn't see it. :wink:

Personally the only thing I like to do with LFS is the parking

pmsl.

I've tried for a few hour's now and had to work in a loop back to capture the packet's and was not able to reconstruct connecting to lfs dedicated server im hoping you are going to reveal haw you managed to locate the packet.Time's like these i wish i had a little lab with multiple computer's.

Did the packet look any think like this luigi.

Data
S/R Packet Offset Hex ASCII
S 0x0001 0x0000 34 02 05 58 0A 1D 05 35-4E 00 00 00 00 6D 75 68 4..X...5N....muh
S 0x0001 0x0010 61 61 00 00 00 00 00 00-00 00 00 00 00 00 00 00 aa..............
S 0x0001 0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 5A ...............Z
S 0x0001 0x0030 27 69 8B A7 27 - 'i?????'
S 0x0002 0x0000 0C 02 05 58 0A 1D 04 35-4E 00 00 00 00 ...X...5N....
S 0x0003 0x0000 14 02 05 58 0A 1D 03 35-4E 00 00 00 00 00 00 00 ...X...5N.......
S 0x0003 0x0010 00 00 00 00 00 - .....
R 0x0004 0x0000 2C 03 01 00 00 00 00 00-00 23 00 00 00 42 6C 61 ,........#...Bla
R 0x0004 0x0010 63 6B 77 6F 6F 64 00 00-00 00 00 00 00 00 00 00 ckwood..........
R 0x0004 0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 .............
S 0x0005 0x0000 04 01 00 00 00 - .....
R 0x0006 0x0000 C4 00 01 00 00 00 00 00-00 00 00 00 00 00 00 00 ??...............
R 0x0006 0x0010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0080 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x0090 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x00A0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x00B0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
R 0x0006 0x00C0 00 00 00 00 00 - .....
S 0x0007 0x0000 14 02 05 58 0A 1D 00 35-4E 00 00 00 00 00 00 00 ...X...5N.......

aluigi · **Posted:** 15 Aug 2007 09:11

sure, write the exploit!

the packet which causes the exploitable buffer-overflow is the one containing some text fields like the nickname, the car's plate and the helmet.
you can't see it at the beginning of the connection because it's sent after the joining process (probably the lobby).
the packet should looks like:
xx 01 03 00 00 00 nickname plate ??? helmet
xx is the size of the data

Anyway if I have time I will try to find the function in the game executable so you could write an exploit using directly the same lfs.exe

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Thank's luigi it would be very much appreciated,I think it's because i am using a trial version of this packet capture with a local loop back and im not getting all the packet's.Did you have more than one computer luigi with like a man in the middle set up m8.Could you explain haw you managed to capture the packet's.And do you know of any software that will allow me to capture the packet's through a loop back.

Thank's.

aluigi · **Posted:** 15 Aug 2007 14:10

for loopback sniffing I use WPE http://wpepro.net
then I convert its output in tcpdump format with wpe2cap, a tool that you can find in my Research section:

http://aluigi.org/papers.htm#others-file

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Oh me guna make a cupa lol and get straight at it ive been try for hour's i will succeed i alway's do i might still be trying when im 50 but ill get there in the end thank's for your help m8.I suppose this is what it's all about you never know every thing and there is still room for improvement and learning.

:D

Agrrr i have no idea what im doing wrong i found the packet's which cause the over flow i see the 41 41 41 hex but when i construct the packet and send it the application don't even recognize it. :oops:

I think im going to have to let some one else do this im not able to do it unfortunately it don't matter what i do im not able to connect to the dedicate server and when i do i get the msg "crash buffer ok" or some thing like that.May be i will return to it in a few days once i've got round it.Atleast i know i must learn more about protocol's and constructing packet's.Hate to give up on it though.

Ok i couldn't stop but take a look again see if i could solve this here is the packet where the over flow is.

Is there any more packet's before these luigi i sent all the packet's i captured from the client to the server and it come's up with buff crash avoided ok.I did notice that your client is seeing the response from the server to determine the version of the server.

1st part of the over flow.
"\xFF\x01\x03\x00\x00\x00";

250 x A

last part of the over flow.
"\x1E\x00\x99\x6A\xF9\xFF\x18\x2F\xD2\xC8\x2C\x00\x00\xF3\xDC\x4F\x85\x00\x00\xE1\x3B\xED\x00\x98\x
51\xB2\xE3\x37\x90\x33\xA3\x0A\x00\xA0\x1B\x04\x00\x04\x0D\x16\xE3\x07"
==============================================
I think i know why it wont work for me im either send the packet's as one big packet or im not waiting for a response from the server then sending the next packet.

aluigi · **Posted:** 16 Aug 2007 09:05

I think that the only limitation is that it's an in-game bug which means 2 things:

- you need to recreate the joining process, which fortunately is simple but naturally requires more than one packet

- the car data hash, I forgot to talk to you about it yesterday, it's an hash resulted by the checksum of the cars data in the LFS executable and the challenge sent by the server, this is the job made by that big .h file in the lfsfp package

So probably the best solution is to add the needed stuff (shellcode) to my lfsfp proof-of-concept since it's also compatible with older versions of the game.
The line where the exploitation starts is the one containing memset(p, 'A', 250);
after having modified that one you need to increase the p pointer of the bytes you have added (so substituite the 250 in "p += 250;" with the exact amount of bytes)

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Agrr thanx for that luigi i think i will return to this in a few week's i knew i was missing some thing by watching the reply's i was geting from the server.

aluigi · **Posted:** 21 Aug 2007 22:25

n00b have you noticed a certain mystery about mine and yours bugs in LFS?
Secunia has not reported the news, I have also sent them a mail and a feedback but nothing... isn't this strange???

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

What you mean Luigi did they not put them up.That is strange because they normally go straight up when i submitted mine to milw0rm they normally do there round around the usual security site's,But yeh that is strange.Im wondering if the developer's have denied the claims about the vulnerability.

The developer's of live for speed want to brush this under the carpet and forget it ever happened.Your right but they have not published all of my exploit's.Why would they do that luigi.?

http://secunia.com/search/?search=n00b

aluigi · **Posted:** 22 Aug 2007 22:38

I don't think that the LFS guys have made pressure on Secunia, that's why this thing is everyday more misterious.
About your exploits, if I'm not in error your is not the only stuff not traced by them, I have seen other things from milw0rm which are not there.
Probably they have tested the exploits with the latest versions of the software and they were not vulnerable... that's only my hypotesis.
Why don't you write a mail to them? just for curiosity
Carsten is a very good guy and has ever replied quickly to any of my mails (except the latest two about LFS)

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Wow yeh i will that is strange i've gone through all the exploit's we both have wrote and the version is still affected there has been no update's yet from the new y patch and also the automatic update system has not updated any thing yet.But ill send them an email tomorrow about it.And if any change's when the new patch come's out ill test the exploit's again.

aluigi · **Posted:** 28 Aug 2007 08:31

the mistery has been solved, Secunia thought that LFS was an alpha and so they didn't keep track of the bugs. now it's all ok for the bugs I have reported, but you n00b should send them a mail because I don't see yours there

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

I've sent them an email luigi so we will have to wait and see what happens.Just noticed the developer's have released a new dedi server to fix the bugs you found luigi.

http://www.lfs.net/download/LFS_S2_DEDI_X11.zip
:wink:

aluigi · **Posted:** 28 Aug 2007 16:47

Wow this is just what I call quick fixes.... ah ah ah
I have read the relative thread on lfsforum and sincerely I have not understood why you think you did the wrong thing: find, report and release. stop

That's good.
What is not good is taking almost one month for fixing critical vulnerabilities and ONLY because the bugs have been exploited and I can't imagine how much other time they will need to fix your bugs which are criticals too since replays are an essential part of the LFS community.

Well seems that they will not credit our names... patience this is an usual practice of vendors.

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Lol luigi it's funny though you have to admit they all want our blood :D.All i can say is that there just like the other vendors ive had contact with.This is the way the security industry is and thats it.Shame really lol,Me thinks you should test the new version luigi for a giggle i think they just have added some thing so when your client try to connect it dont receive the server version packet.

aluigi · **Posted:** 28 Aug 2007 16:57

however the most funny line I have read is the following:
"I don't like being forced to change direction because of hackers releasing programs onto the internet that do nothing but annoy our community"

well seems that a buffer-overflow is only an annoying thing, the next time I will release an advisory on Bugtraq I will title it "annoying thing in XXX 1.0".

Fortunately not all the commercial vendors are bad, for example Evenbalance has still the security news with my name of its website (and they patch bugs in less than a day) and I was credited also by the guys of Battlefield 1942 in their latest patch and some others that unfortunately I don't remember.
Then there is the open source community which "rarely" doesn't credit someone.

I think that would be cool sometimes to create a list of good and bad vendors ih ih ih

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

""
well seems that a buffer-overflow is only an annoying thing, the next time I will release an advisory on Bugtraq I will title it "annoying thing in XXX 1.0".
""
Pmsl omfg loool.

New patch released version X12
http://www.lfsforum.net/showthread.php?t=30317

There lucky i didn't have the time to write a poc code for the buffer over flow it would have been alot worse.Or even your self for that matter.

aluigi · **Posted:** 28 Aug 2007 17:02

in the moment we are talking has been released X12!

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

w00t 2 patches in 20 minutes thats what i call a quick job.I would hate to see the fix they done i really would i can just imagine it now.:D.Should put the thing in bin diff for a laugh.

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Luigi has this been patched yet m8..

aluigi · **Posted:** 27 Oct 2007 13:35

only the server bugs have been fixed, our clients bugs are still active.
Then the X12 patch covers only the 4 bugs I found some months ago so the lfscbof is still exploitable (I mean in case the developers had in mind to avoid the malicious lfscbof packet to be sent to the vulnerable clients).

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Spr and mpr buffer over flow is now fixed 4 months later pmsl..Oh well will be looking into it again some time this week.

aluigi · **Posted:** 22 Dec 2007 23:27

UNBELIEVABLE lfscbof is still UNPATCHED!!!

That means that anyone with the Y patch is still affected by the buffer-overflow... I have no words, really

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

I have some word's luigi it's called lol lmfao pmsl :D

Yeh developer's fix a local buffer over flow rather than a remote over flow pmsl.

n00b · **Joined:** 14 Aug 2007 13:32 **Posts:** 71

Mine are patched lol

About time.

aluigi · **Posted:** 09 Feb 2008 21:44

I could be wrong but is possible that lfcbof (the clients buffer-overflow) could be used also to crash servers in some conditions

Luigi Auriemma

Live for Speed patch x s1/s2/demo local exploit's