From: Andres G. <and...@fl...> - 2012-02-04 17:24:12
|
Hi Kilo, No, it is not the same, it is another exploitable buffer overflow in torcs and speed dreams(2 and previous versions), this time it does'nt have relation with plib. The problem is in: speed-dreams/src/modules/graphic/ssgraph/grsound.cpp, line 93: 86 char filename[512]; FILE *file = NULL; // ENGINE PARAMS tdble rpm_scale; param = GfParmGetStr(handle, "Sound", "engine sample", "engine-1.wav"); rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0); 93 sprintf (filename, "cars/%s/%s", car->_carName, param); file = fopen(filename, "r"); if (!file) { 97 sprintf (filename, "data/sound/%s", param); } else { fclose(file); } As you know this section reads a configuration sound option from [any-car].xml, for example: <section name="Sound"> <attstr name="engine sample" val="renault-v10.wav"/> <attnum name="rpm scale" val="0.35"/> </section> if audio file name in "engine sample" is enough long it could overwrite "filename" buffer (line 86), because there is not size validation in line 93 (also in line 97). The Solution would be to use snprintf taking care of buffer's size (512). By the way, as far as i know, several linux distibutions have fix plib bug I reported to TORCS people. But I dont know about windows, I believe speed dreams is still vulnerable on windows. Any question is welcome ;) Regards. Andrés Gómez 2012/2/3 kilo aka Gabor Kmetyko <kg...@gm...> > Hi Andres, > > On 3 February 2012 17:16, Andres Gomez <ag...@fl...> wrote: > > Hi, I have found an exploitable buffer overflow in speed dreams, I dont > > whether I should disclose details here or to another private mail. > > > > Regards, > > > > Andrés Gómez. > > Is it the same one you've reported on the TORCS list? > If yes, we already have a ticket open for that: > http://sourceforge.net/apps/trac/speed-dreams/ticket/537 > > If not the same, please explain here on the devel list. > > cheers > kilo > -- > http://three.sentenc.es > > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Speed-dreams-devel mailing list > Spe...@li... > https://lists.sourceforge.net/lists/listinfo/speed-dreams-devel > -- Andrés Gómez Ramírez | Analista de Diagnóstico Fluidsignal Group S.A. | Where Security Meets Business http://www.fluidsignal.com/ | ISO 9001:2008 / ISO 27001:2005 Teléfono: +57 (4) 4442637 | Móvil: +57 3012009712 |