####################################################################### Luigi Auriemma Application: TrackMania Nations Forever TrackMania United Forever http://www.trackmania.com (it's possible that also other old games like Sunrise and Original are vulnerables but they have not been tested) Versions: <= 2.11.11 (and beta 2.11.19) Platforms: Windows Bug: NULL pointer Exploitation: remote, versus clients (in-game from another client) (only the clients are affected, even if the server is non-dedicated) Date: 07 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== TrackMania is a great series of racing games developed by Nadeo (http://www.nadeo.com) with incredible tracks and a particular gameplay. The series is very popular due to the releasing of the free full game TrackMania Nations and due to the completely multiplayer-oriented nature of the games. ####################################################################### ====== 2) Bug ====== The clients which play on a server can be crashed due to a NULL pointer dereference which happens when another client joins the server and sends a particular command. The problem seems caused by something which is not initialized in certain conditions and so the attacker must simply join a server to cause the immediate disconnection (crash) of all the clients connected to it. No additonal research has been performed on the detailed causes of the problem. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/tmnullever.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################