Menu
▾
▴
torcs-devel
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
|
Feb
(1) |
Mar
|
Apr
(3) |
May
(5) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
(6) |
| 2002 |
Jan
(11) |
Feb
|
Mar
(5) |
Apr
|
May
(1) |
Jun
(2) |
Jul
(3) |
Aug
|
Sep
|
Oct
(1) |
Nov
(2) |
Dec
(1) |
| 2003 |
Jan
(1) |
Feb
(11) |
Mar
(33) |
Apr
(8) |
May
(10) |
Jun
(1) |
Jul
(1) |
Aug
(5) |
Sep
(4) |
Oct
(3) |
Nov
(6) |
Dec
(22) |
| 2004 |
Jan
(46) |
Feb
(16) |
Mar
(39) |
Apr
(29) |
May
(27) |
Jun
(11) |
Jul
(8) |
Aug
(15) |
Sep
(29) |
Oct
(12) |
Nov
(42) |
Dec
(19) |
| 2005 |
Jan
(2) |
Feb
(64) |
Mar
(87) |
Apr
(35) |
May
(6) |
Jun
(20) |
Jul
(34) |
Aug
(73) |
Sep
(39) |
Oct
(20) |
Nov
(3) |
Dec
(9) |
| 2006 |
Jan
(3) |
Feb
(17) |
Mar
(6) |
Apr
(6) |
May
(20) |
Jun
(18) |
Jul
|
Aug
(2) |
Sep
(4) |
Oct
(5) |
Nov
(13) |
Dec
(5) |
| 2007 |
Jan
|
Feb
(4) |
Mar
(17) |
Apr
(4) |
May
(4) |
Jun
(4) |
Jul
(1) |
Aug
(3) |
Sep
(13) |
Oct
(15) |
Nov
(21) |
Dec
(9) |
| 2008 |
Jan
(12) |
Feb
(9) |
Mar
(14) |
Apr
(35) |
May
(17) |
Jun
(23) |
Jul
(28) |
Aug
(34) |
Sep
(24) |
Oct
(9) |
Nov
(6) |
Dec
(4) |
| 2009 |
Jan
(27) |
Feb
(8) |
Mar
(5) |
Apr
(3) |
May
|
Jun
(4) |
Jul
(7) |
Aug
(13) |
Sep
(9) |
Oct
(5) |
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
(3) |
Mar
(1) |
Apr
(3) |
May
(4) |
Jun
(4) |
Jul
(10) |
Aug
(7) |
Sep
(5) |
Oct
(4) |
Nov
(4) |
Dec
(1) |
| 2011 |
Jan
(3) |
Feb
(6) |
Mar
|
Apr
(2) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(5) |
| 2012 |
Jan
(5) |
Feb
(13) |
Mar
(6) |
Apr
(2) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
(5) |
Nov
(9) |
Dec
(3) |
| 2013 |
Jan
|
Feb
(5) |
Mar
|
Apr
(4) |
May
|
Jun
(3) |
Jul
|
Aug
(1) |
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2014 |
Jan
(2) |
Feb
|
Mar
|
Apr
(1) |
May
(2) |
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(1) |
Nov
(4) |
Dec
(2) |
| 2015 |
Jan
|
Feb
|
Mar
(4) |
Apr
|
May
|
Jun
(1) |
Jul
|
Aug
(2) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(4) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2018 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
|
Jun
|
Jul
|
Aug
(1) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2019 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
| 2023 |
Jan
|
Feb
|
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2024 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(1) |
Nov
|
Dec
|
| 2025 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(4) |
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
| S | M | T | W | T | F | S |
|---|---|---|---|---|---|---|
|
|
|
|
|
1
|
2
|
3
|
|
4
|
5
|
6
|
7
|
8
|
9
|
10
|
|
11
|
12
|
13
|
14
|
15
|
16
|
17
|
|
18
|
19
|
20
(3) |
21
|
22
(1) |
23
(1) |
24
|
|
25
|
26
|
27
|
28
|
29
|
30
|
31
|
|
From: Andres G. <ag...@fl...> - 2011-12-23 03:08:30
|
Hi Bernhard,
in
if ( sscanf ( s, "%s rgb %f %f %f amb %f %f %f emis %f %f %f spec %f %f %f
shi %d trans %f",
yeah I think It would be enough to put %1023s.
on the other hand in
ulSetError ( UL_WARNING, "grloadac:do_material: Can't parse this
MATERIAL:%1023s", s ) ;
remember, what you are sending to ulSetError is not sizeof(s) bytes, you
are actually sending
sizeof("grloadac:do_material: Can't parse this MATERIAL:")+sizeof(s), and
because plib's error buffer just
can store 1024 bytes, thats the reason the vulnerability is trigered. So
you have to chek how many bytes you send to ulSetError.
I sent an email to plib people, and they did not respond yet, but the last
message posted there in the mailing list is:
"PLIB is no longer being maintained - it would take too much work to bring
it up to the latest OpenGL standards.
I don't plan any more releases. I recommend that FlightGear pulls their
current version into their repository and make it a part of FlightGear
itself.
-- Steve"
So I dont know whether they are likely to fix this bug.
Anyway to solve PLIB bug It only would take to use vsnprintf instead of
vsprintf inside ulSetError
Regards
2011/12/22 Bernhard Wymann <be...@bl...>
>
> Hi Andres
>
> So the fix would be then 2 parts:
>
>
>> in grloadacc.cpp
>>
>> static int do_material ( char *s )
>> {
>> char name [ 1024 ] ;
>> sgVec4 rgb ;
>> sgVec4 amb ;
>> sgVec4 emis ;
>> sgVec4 spec ;
>> int shi ;
>> float trans ;
>>
>> if ( sscanf ( s,
>> "%s rgb %f %f %f amb %f %f %f emis %f %f %f spec %f %f %f shi %d trans
%f",
>
>
> So this should be then "%1023s ..., or less than 1023, right?
>
>
>> name,
>> &rgb [0], &rgb [1], &rgb [2],
>> &amb [0], &amb [1], &amb [2],
>> &emis[0], &emis[1], &emis[2],
>> &spec[0], &spec[1], &spec[2],
>> &shi,
>> &trans ) != 15 )
>> {
>
>
> Here we leave the context, so the right place to fix this is plib. But we
could also tune the format string (maybe we can get the buffer size
somehow, but for getting the idea):
>
> ulSetError ( UL_WARNING, "grloadac:do_material: Can't parse this
MATERIAL:%1023s", s ) ;
>
> Can you check if this does the trick? Did you already let the plib people
know?
>
> Thank you very much for your report and help
>
> Best regards
>
> Bernhard
|
|
From: Bernhard W. <be...@bl...> - 2011-12-22 07:44:54
|
Hi Andres
So the fix would be then 2 parts:
> in grloadacc.cpp
>
> static int do_material ( char *s )
> {
> char name [ 1024 ] ;
> sgVec4 rgb ;
> sgVec4 amb ;
> sgVec4 emis ;
> sgVec4 spec ;
> int shi ;
> float trans ;
>
> if ( sscanf ( s,
> "%s rgb %f %f %f amb %f %f %f emis %f %f %f spec %f %f %f shi %d trans %f",
So this should be then "%1023s ..., or less than 1023, right?
> name,
> &rgb [0], &rgb [1], &rgb [2],
> &amb [0], &amb [1], &amb [2],
> &emis[0], &emis[1], &emis[2],
> &spec[0], &spec[1], &spec[2],
> &shi,
> &trans ) != 15 )
> {
Here we leave the context, so the right place to fix this is plib. But
we could also tune the format string (maybe we can get the buffer size
somehow, but for getting the idea):
ulSetError ( UL_WARNING, "grloadac:do_material: Can't parse this
MATERIAL:%1023s", s ) ;
Can you check if this does the trick? Did you already let the plib
people know?
Thank you very much for your report and help
Best regards
Bernhard
|
|
From: Andres G. <and...@fl...> - 2011-12-20 17:17:50
|
Ok, here are the details
the problem is that TORCS sometimes doesn't validate correctly data from
acc files. for example in:
car5-trb1.acc
AC3Db
MATERIAL "ac3dmat1" rgb 1.00 1.00 1.00 amb 1.00 1.00 1.00 emis 0.20 0.20
0.20 spec 0.50 0.50 0.50 shi 50 trans 0
OBJECT world
kids 48
OBJECT poly
name "DIFFUSORFLA_s_23"
if an attacker writes an very long string in MATERIAL line for example,
MATERIAL "aaaaaaaaaaaaaaaaaaaaaaaaaaa......aaaaaaaaaaaaaaaaaaaa" rgb 1.00
1.00 1.00 amb 1.00 1.00 1.00 emis 0.20 0.20 0.20 spec 0.50 0.50 0.50 shi 50
trans 0
then it will happen:
in grloadacc.cpp
static int do_material ( char *s )
{
char name [ 1024 ] ;
sgVec4 rgb ;
sgVec4 amb ;
sgVec4 emis ;
sgVec4 spec ;
int shi ;
float trans ;
if ( sscanf ( s,
"%s rgb %f %f %f amb %f %f %f emis %f %f %f spec %f %f %f shi %d trans
%f",
name,
&rgb [0], &rgb [1], &rgb [2],
&amb [0], &amb [1], &amb [2],
&emis[0], &emis[1], &emis[2],
&spec[0], &spec[1], &spec[2],
&shi,
&trans ) != 15 )
{
ulSetError ( UL_WARNING, "grloadac:do_material: Can't parse this
MATERIAL:%s", s ) ;
}
the line
if ( sscanf ( s,....
will fail and the function from plib ulSetError is gonna be called, with
the long string "s". Then in:
ulError.cpp from plib
void ulSetError ( enum ulSeverity severity, const char *fmt, ... )
{
va_list argp;
va_start ( argp, fmt ) ;
vsprintf ( _ulErrorBuffer, fmt, argp ) ;
va_end ( argp ) ;
if ( _ulErrorCB )
{
(*_ulErrorCB)( severity, _ulErrorBuffer ) ;
}
else
{
fprintf ( stderr, "%s: %s\n",
_ulSeverityText[ severity ], _ulErrorBuffer ) ;
if ( severity == UL_FATAL )
{
#ifdef WIN32
// A Windows user that does not start the program from the command
line
// will not see output to stderr
::MessageBox(0, _ulErrorBuffer, "fatal error!:", 0);
#endif
exit (1) ;
}
}
}
this function is gonna overflow the buffer:
static char _ulErrorBuffer [ 1024 ] = { '\0' } ;
which cause that pointer function
static ulErrorCallback _ulErrorCB = 0 ;
is overwritten and finally, that function pointer is called in:
if ( _ulErrorCB )
{
(*_ulErrorCB)( severity, _ulErrorBuffer ) ;
}
An attacker can manipulate such string s, causing that torcs executes
arbitrary code. It's important to note that the main problem is in plib,
because it doesn't check the size of const char *fmt, for this reason the
bug is trigered, but TORCS also should check acc inputs.
Well it's true that this bug is not about remote arbitrary code excecution
but It should no be understimated. An attacker could convince a user to
open a specially crafted acc file (a new car, track, ...), and it would be
all he need to get total control over user's machine.
Regards, a any question is welcome.
2011/12/20 Bernhard Wymann <be...@bl...>
> Hi Andres
>
> I think it is ok to publish it in the list, because TORCS is not a
> networking/priviledged application, so there should (!) be nothing
> "exploitable" (if a user can run code and can run override/inject code in
> his own context it is a nice "playground", but not much more, it just gets
> interesting when this can happen from "outside"/other user, is this the
> case?). But it should be addressed for later network versions, where this
> could really hurt.
>
> Thank you for the info.
>
> Best regards
>
> Bernhard
>
> On Dec 20, 2011, at 16:04 , Andres Gomez wrote:
>
> > Hi,
> >
> > I have found an exploitable buffer overflow in torcs when it uses the
> library plib, I dont know whether I should disclose details in this mailing
> list or to another private mail.
> >
> >
> > Regards,
> > Andrés Gómez
> >
> >
> ------------------------------------------------------------------------------
> > Write once. Port to many.
> > Get the SDK and tools to simplify cross-platform app development. Create
> > new or port existing apps to sell to consumers worldwide. Explore the
> > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> >
> http://p.sf.net/sfu/intel-appdev_______________________________________________
> > Torcs-devel mailing list
> > Tor...@li...
> > https://lists.sourceforge.net/lists/listinfo/torcs-devel
>
>
--
Andrés Gómez Ramírez | Analista de Diagnóstico
Fluidsignal Group S.A. | Where Security Meets Business
http://www.fluidsignal.com/ | ISO 9001:2008 / ISO 27001:2005
Teléfono: +57 (4) 4442637 | Móvil: +57 3012009712
|
|
From: Bernhard W. <be...@bl...> - 2011-12-20 15:47:51
|
Hi Andres I think it is ok to publish it in the list, because TORCS is not a networking/priviledged application, so there should (!) be nothing "exploitable" (if a user can run code and can run override/inject code in his own context it is a nice "playground", but not much more, it just gets interesting when this can happen from "outside"/other user, is this the case?). But it should be addressed for later network versions, where this could really hurt. Thank you for the info. Best regards Bernhard On Dec 20, 2011, at 16:04 , Andres Gomez wrote: > Hi, > > I have found an exploitable buffer overflow in torcs when it uses the library plib, I dont know whether I should disclose details in this mailing list or to another private mail. > > > Regards, > Andrés Gómez > > ------------------------------------------------------------------------------ > Write once. Port to many. > Get the SDK and tools to simplify cross-platform app development. Create > new or port existing apps to sell to consumers worldwide. Explore the > Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join > http://p.sf.net/sfu/intel-appdev_______________________________________________ > Torcs-devel mailing list > Tor...@li... > https://lists.sourceforge.net/lists/listinfo/torcs-devel |
|
From: Andres G. <ag...@fl...> - 2011-12-20 15:05:23
|
Hi, I have found an exploitable buffer overflow in torcs when it uses the library plib, I dont know whether I should disclose details in this mailing list or to another private mail. Regards, Andrés Gómez |