SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Medal of Honor Vendors:   Electronic Arts
EA Games Medal of Honor Has Buffer Overflow in 'connect' Packet That Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1010725
SecurityTracker URL:  http://securitytracker.com/id/1010725
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 17 2004
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Allied Assault 1.11v9 and prior; Breakthrough 2.40b and prior; Spearhead 2.15 and prior
Description:   Luigi Auriemma reported a buffer overflow vulnerability in the Medal of Honor and related game software. A remote user can execute arbitrary code on the target system.

It is reported that a remote user can send a specially crafted packet to the target server to trigger a buffer overflow in the code that checks for slash characters and null bytes.

According to the report, many different packet types can be used to trigger an overflow. One packet type is the 'connect' packet where the 'getinfo' value can specify arbitrary code. The overflow can be triggered in a single UDP packet, which can be spoofed.

A demonstration exploit is available at:

http://aluigi.altervista.org/poc/mohaabof.zip

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.

The author of the report has provided an unofficial patch for Windows-based platforms, available at:

http://aluigi.altervista.org/patches/mohaaboffix.zip

Vendor URL:  www.eagames.com/official/moh/alliedassault/us/home.jsp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Medal of Honor remote buffer-overflow



#######################################################################

                             Luigi Auriemma

Application:  Medal of Honor
              http://mohaa.ea.com
Versions:     Allied Assault <= 1.11v9
              Breakthrough   <= 2.40b
              Spearhead      <= 2.15
Platforms:    Windows and Linux
Bug:          buffer overflow
Risk:         critical
Exploitation: remote, versus server
              (clients are vulnerables only in LAN)
Date:         17 July 2004
Author:       Luigi Auriemma
              e-mail: aluigi@altervista.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Medal of Honor is a famous military FPS game located in the World War
II.
It has been developed by 2015 (http://www.2015.com) and was originally
released at the beginning of 2002 but other expansion packs have been
released later.


#######################################################################

======
2) Bug
======


The problem is a classical buffer-overflow located in different parts
of the game code, but the first function vulnerable is the manager of
the queries/replies that checks for slashs and NULL bytes but doesn\\\'t
check the size of the values before copying them in a new buffer.

In Allied Assault 1.11v9 dedicated server for Win32 we can see the
first bugged function at offset 0x00428f20 where the return address
(0x00429291) is overwritten by the client\\\'s data if it contains a value
of 520 bytes or more (1032 on the Linux version).

The data causing the overflow can be used in a lot of packet types, in
fact it can be in the \\\"getinfo\\\" query, in the \\\"connect\\\" packet and in
others.
The most dangerous method to exploit this vulnerability is through the
getinfo query because it is a single UDP packet that the server cannot
block and the attacker can also spoof it.

Naturally also clients are vulnerables but the bugged function is used
only for LAN queries, in fact online the clients use the standard
Gamespy protocol that is not vulnerable.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/mohaabof.zip


#######################################################################

======
4) Fix
======


No fix.
Developers at 2015 have been noticed the 1 July 2004 but the support of
the game is in the hands of Electronic Arts (I\\\'m still waiting a patch
or at least an answer from EA about the buffer-overflow in Need for
Speed Hot Pursuit 2 noticed tons of months ago...).

However I have developed an universal patch that can be applied to any
version, game and type of server/client (dedicated or normal, with the
only requirement that naturally the executable of the normal version
must be decrypted, aka No-CD) because fortunately the part of code to
modify is ever exactly the same.
Actually my patch is available only for the Win32 executables, not for
Linux:

  http://aluigi.altervista.org/patches/mohaaboffix.zip

All the details about the fix are in the text file inside the package
however the original bugged function contains a lot of slow code so I
have optimized it for gaining the space where placing my patched code
and I have also saved 38 bytes.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC