#######################################################################

                             Luigi Auriemma

Application:  Rigs Of Rods
              http://www.rigsofrods.com
              http://repository.rigsofrods.com
Versions:     <= 0.33d
Platforms:    Windows and *nix
Bug:          static buffer overflow
Exploitation: remote, versus server
Date:         19 Nov 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Rigs Of Rods is a nice multi-vehicle simulation game supported by a big
community.


#######################################################################

======
2) Bug
======


The global dbuffer buffer of 8192 bytes (MAX_MESSAGE_LENGTH) is the
subject of a buffer-overflow which happens when an user joins the
server using a big nickname and vehicle name.
In queueMessage, when the MSG2_USE_VEHICLE message is received, dbuffer
(here pointed by the data argument) is first copied in the vehicle name
(which has the same size of the source) and then the nickname is
concatenated to dbuffer allowing an attacker to overflow this buffer
with max 255 bytes.

Due to the type of buffer code execution could be not possible or
probably possible only in some circumstances.

From sequencer.cpp:

void Sequencer::queueMessage(int pos, int type, char* data, unsigned int len)
{
    pthread_mutex_lock(&clients_mutex);
    if (type==MSG2_USE_VEHICLE) 
    {
        data[len]=0;
        strncpy(clients[pos].vehicle_name, data, 255);
        //printStats();
        //we alter the message to add user info
        strcpy(data+len+1, clients[pos].nickname);
        len+=(int)strlen(clients[pos].nickname)+2;
        ...


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/rorbof.zip


#######################################################################

======
4) Fix
======


RoRserver-0.33d-SP1


#######################################################################