Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB 1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted remote attackers to execute arbitrary code via vectors involving a long error message, as demonstrated by a crafted acc file for TORCS. NOTE: some of these details are obtained from third party information.
PLIB 1.8.5, used in TORCS 1.3.1 and other applications, is vulnerable to a buffer overflow due to a flaw in the ulSetError function. This vulnerability allows a remote attacker to execute arbitrary code by crafting a malicious error message, potentially leading to complete system compromise.
Step 1: Payload Delivery: The attacker crafts a malicious input file (e.g., an .acc file for TORCS) containing a long error message.
Step 2: Input Processing: The vulnerable application (e.g., TORCS) loads and processes the crafted input file.
Step 3: Error Trigger: During processing, the application calls ulSetError with the attacker-controlled, excessively long error message.
Step 4: Buffer Overflow: The ulSetError function attempts to copy the long error message into a fixed-size buffer without proper bounds checking.
Step 5: Memory Corruption: The long error message overflows the buffer, overwriting adjacent memory on the stack, including potentially the return address.
Step 6: Code Execution: When the function returns, the overwritten return address points to attacker-controlled code (e.g., shellcode), leading to arbitrary code execution and system compromise.
The vulnerability lies within the ulSetError function in util/ulError.cxx of PLIB 1.8.5. This function is responsible for handling error messages. The root cause is a buffer overflow vulnerability. The function does not properly validate the size of the input error message before writing it to a fixed-size buffer. Specifically, a long error message, supplied through a crafted input file (e.g., an acc file in the case of TORCS), can overwrite adjacent memory locations on the stack. This overwrite can be leveraged to overwrite critical control data, such as the return address, to redirect program execution to attacker-controlled code, leading to arbitrary code execution. The lack of bounds checking on the input string is the core flaw.