[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] TORCS 1.3.2 xml buffer overflow - CVE-2012-1189
From:       Andres Gomez <agomez () fluidsignal ! com>
Date:       2012-02-18 18:35:31
Message-ID: CAB9ZNAzBgtqWdjDmsTmzHi+uVCUCqtfO6Goo4fneacfJ5cSBtw () mail ! gmail ! com
[Download RAW message or body]


http://www.exploit-db.com/exploits/18471/
http://www.torcs.org

Hi,

I have found another exploitable buffer overflow in torcs, this time it
does'nt have relation with plib.
The problem is in:

torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103:

96     char filename[512];
        FILE *file = NULL;

        // ENGINE PARAMS
        tdble rpm_scale;
        param = GfParmGetStr(handle, "Sound", "engine sample",
"engine-1.wav");
        rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0);
103   sprintf (filename, "cars/%s/%s", car->_carName, param);
        file = fopen(filename, "r");
        if (!file)
        {
107             sprintf (filename, "data/sound/%s", param);
        }
        else
        {
            fclose(file);
        }

This section reads a configuration sound option from [any-car].xml, for
example:

<section name="Sound">
        <attstr name="engine sample" val="renault-v10.wav"/>
        <attnum name="rpm scale" val="0.35"/>
</section>

if audio file name in "engine sample" is enough long it could overwrite
"filename" buffer (line 96),
because there is not size validation in line 103 (also in line 107).

I have already notified vendor.

Please use CVE-2012-1189 for this issue.

Regards.

Andrés Gómez


[prev in list] [next in list] [prev in thread] [next in thread]