Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: TORCS 1.3.2 xml buffer overflow - CVE-2012-1189
From: Andres Gomez <agomez () fluidsignal com>
Date: Mon, 5 Mar 2012 14:05:14 -0500

Speed Dreams (http://www.speed-dreams.org/) is also vulnerable due It is a
TORCS's fork, and they both share most of the code.
Should I ask for a new CVE number? or can I use CVE-2012-1189 for this
issue?

By the way, how can I get disclosed  CVE-2012-1189 details in mitre web
page, since TORCS and Speed Dreams people have already fixed the bugs?.

Regards.

2012/2/18 Andres Gomez <agomez () fluidsignal com>

http://www.exploit-db.com/exploits/18471/
http://www.torcs.org

Hi,

I have found another exploitable buffer overflow in torcs, this time it
does'nt have relation with plib.
The problem is in:

torcs/src/modules/graphic/ssgraph/grsound.cpp, line 103:

96     char filename[512];
        FILE *file = NULL;

        // ENGINE PARAMS
        tdble rpm_scale;
        param = GfParmGetStr(handle, "Sound", "engine sample",
"engine-1.wav");
        rpm_scale = GfParmGetNum(handle, "Sound", "rpm scale", NULL, 1.0);
103   sprintf (filename, "cars/%s/%s", car->_carName, param);
        file = fopen(filename, "r");
        if (!file)
        {
107             sprintf (filename, "data/sound/%s", param);
        }
        else
        {
            fclose(file);
        }

This section reads a configuration sound option from [any-car].xml, for
example:

<section name="Sound">
        <attstr name="engine sample" val="renault-v10.wav"/>
        <attnum name="rpm scale" val="0.35"/>
</section>

if audio file name in "engine sample" is enough long it could overwrite
"filename" buffer (line 96),
because there is not size validation in line 103 (also in line 107).

I have already notified vendor.

Please use CVE-2012-1189 for this issue.

Regards.

Andrés Gómez

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault