#######################################################################

                             Luigi Auriemma

Application:  Live for Speed
              http://www.lfs.net
Versions:     <= 0.5Y
Platforms:    Windows
Bug:          client buffer-overflow during skins handling
Exploitation: remote, versus clients (the attacker can be a malicious
              client or the same server)
Date:         13 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Live for Speed (LFS) is one of the most known and cool car racing
simulators available and allows to do a lot of things: races,
autocross, drifting, drag races, demolition derby, knock out and more.


#######################################################################

======
2) Bug
======


Live for Speed allows the players to use different skins for their
cars, which can be those available by default or just new skins in DDS
format created by the same users.

When a player, after having joined the server, decides to enter on the
track, a packet with all the informations about his car (like setup,
colors and skin) is sent to the server which forwards some of these
data to all the other connected clients.

The field which contains the name of the skin in use by the player is a
field of 16 bytes which is read by the clients and concatenated to the
name of his car for the subsequent loading of the needed DDS file from
the local skins folders.
The operation is made without the proper checks resulting in a stack
buffer-overflow.

So, in short, any client which can join a server and can race on it
(not as spectator) can also be able to exploit this vulnerability for
crashing or possibly executing malicious code (the maximum number of
allowed chars is 48) on all the clients connected to the server,
except himself.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/lfscbof.zip


#######################################################################

======
4) Fix
======


No fix.
Developers have not been contacted since still exist (not patched yet)
other buffer overflow vulnerabilities which affect the clients locally
found by my friend n00b and reported to them at the end of July.

UPDATE 24 Dec 2007
The patch Y released a couple of days ago is still vulnerable.


#######################################################################