SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Need for Speed Hot Pursuit 2 Vendors:   Electronic Arts
'Need for Speed Hot Pursuit 2' Buffer Overflow Lets Remote Servers Execute Arbitrary Code
SecurityTracker Alert ID:  1008824
SecurityTracker URL:  http://securitytracker.com/id/1008824
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 22 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 242 and prior versions
Description:   A buffer overflow vulnerability was reported in the 'Need for Speed Hot Pursuit 2' game client. A remote server can cause arbitrary code to be executed on a connected client.

Luigi Auriemma reported that a remote server can respond to a connected client with a specially crafted string to trigger a buffer overflow. The following parameters are reportedly affected: gamename, gamever, hostname, gametype, mapname, and gamemode.

Some demonstration exploit code is available at:

http://aluigi.altervista.org/poc/nfshp2cbof.zip

Impact:   A remote server can cause arbitrary code to be executed on the target client when the client connects to the server.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.eagames.com/pccd/nfshp2/home.jsp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Need for Speed Hot pursuit 2 <= 242 client's buffer overflow



#######################################################################

                             Luigi Auriemma

Application:  Need for Speed Hot Pursuit 2
              http://www.eagames.com/pccd/nfshp2/home.jsp
Versions:     <= 242
Platforms:    Windows
Bug:          client's buffer-overflow
Risk:         critical
Exploitation: remote
Date:         22 Jan 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Need for Speed Hot Pursuit 2 (NFSHP2) is a nice racing game developed
by Blackboxgames (http://www.blackboxgames.com).
Who don't know the Need for Speed saga???


#######################################################################

======
2) Bug
======


The NFSHP2's client is vulnerable to a buffer-overflow caused by a too
long string in the informations replied by the server.
The information queries are made automatically by each client that
enters in the Multiplayer screen of the game, in fact each packet will
be sent to all the servers found in the master server's list and then
the clients will wait for the replies.

The problem is just in these answers and exactly in the values after
the following parameters:
gamename, gamever, hostname, gametype, mapname and gamemode

The following is one of the vulnerable pieces of code permitting the
buffer-overflow, coming directly from the decoded NFSHP2 242 exe:

:0050558D 6814206E00              push 006E2014
:00505592 6800E86900              push 0069E800 ("mapname")
:00505597 56                      push esi
:00505598 E873930000              call 0050E910
:0050559D 83C40C                  add esp, 0000000C
:005055A0 8D9344010000            lea edx, dword[ebx+00000144]
:005055A6 8A08                    mov cl, byte[eax]
:005055A8 40                      inc eax
:005055A9 880A                    mov byte[edx], cl
:005055AB 42                      inc edx
:005055AC 84C9                    test cl, cl
:005055AE 75F6                    jne 005055A6

Simple explaination:
- the code searchs for the string "mapname" in the packet
- it starts to copy the value after "mapname" to a newer smaller buffer

As said before, the clients automatically request informations to the
servers meaning that if exists at least one malicious fake server
nobody will be able to play online and moreover the attacker has the
possibility to execute malicious code or take control over all the
existent clients.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/nfshp2cbof.zip


#######################################################################

======
4) Fix
======


No fix.

Unfortunally (as noted by other researchers in the past) Electronic
Arts has an incredibly bad support, there are no e-mail addresses for
bug signalations and the web form (the only way) is completely useless.
I have also tried to directly contact repeatedly the tech support and
some of the developers of Blackboxgames (surfing on Google and finding
e-mail addresses) but I have never received a reply.

Time doesn't fix bugs, people do.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC