####################################################################### Luigi Auriemma Application: Xpand Rally http://www.xpandrally.com Versions: <= 1.1.0.0 Platforms: Windows Bug: format string Exploitation: remote, versus server and clients (in-game) Date: 09 Mar 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Xpand Rally is the recent rally game developed by Techland (http://www.techland.pl) and published by Strategy First (http://www.strategyfirst.com) in September 2004. ####################################################################### ====== 2) Bug ====== The game is affected by an format string bug that can be exploited by an attacker to execute malicious code through the sending of a malformed message. The attacker cannot sends the malformed message directly from his game because he will exploit his same machine, so is suggested the usage of a program that modifies the packets on the fly (like an UDP proxy for example). Both servers and clients are vulnerables and the vulnerability is in-game. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/xprallyfs.zip It is a simple UDP proxy server that substituites the keyword crashmenow with a sequence of %n patterns causing the crash of the server or the client that receives it. ####################################################################### ====== 4) Fix ====== No fix. The vulnerability has been reported to the developers a couple of months ago but they were not able to patch the bug, I recontacted them again recently but have received no reply. #######################################################################