Medal of Honor remote buffer-overflow

From: Luigi Auriemma (aluigi_at_autistici.org)
Date: 07/17/04

  • Next message: Iván Rodriguez Almuiña: "utilman.exe exploit"
    Date: Sat, 17 Jul 2004 16:57:33 +0000
    To: bugtraq@securityfocus.com, bugs@securitytracker.com, news@securiteam.com, full-disclosure@lists.netsys.com
    
    

    #######################################################################

                                 Luigi Auriemma

    Application: Medal of Honor
                  http://mohaa.ea.com
    Versions: Allied Assault <= 1.11v9
                  Breakthrough <= 2.40b
                  Spearhead <= 2.15
    Platforms: Windows and Linux
    Bug: buffer overflow
    Risk: critical
    Exploitation: remote, versus server
                  (clients are vulnerables only in LAN)
    Date: 17 July 2004
    Author: Luigi Auriemma
                  e-mail: aluigi@altervista.org
                  web: http://aluigi.altervista.org

    #######################################################################

    1) Introduction
    2) Bug
    3) The Code
    4) Fix

    #######################################################################

    ===============
    1) Introduction
    ===============

    Medal of Honor is a famous military FPS game located in the World War
    II.
    It has been developed by 2015 (http://www.2015.com) and was originally
    released at the beginning of 2002 but other expansion packs have been
    released later.

    #######################################################################

    ======
    2) Bug
    ======

    The problem is a classical buffer-overflow located in different parts
    of the game code, but the first function vulnerable is the manager of
    the queries/replies that checks for slashs and NULL bytes but doesn't
    check the size of the values before copying them in a new buffer.

    In Allied Assault 1.11v9 dedicated server for Win32 we can see the
    first bugged function at offset 0x00428f20 where the return address
    (0x00429291) is overwritten by the client's data if it contains a value
    of 520 bytes or more (1032 on the Linux version).

    The data causing the overflow can be used in a lot of packet types, in
    fact it can be in the "getinfo" query, in the "connect" packet and in
    others.
    The most dangerous method to exploit this vulnerability is through the
    getinfo query because it is a single UDP packet that the server cannot
    block and the attacker can also spoof it.

    Naturally also clients are vulnerables but the bugged function is used
    only for LAN queries, in fact online the clients use the standard
    Gamespy protocol that is not vulnerable.

    #######################################################################

    ===========
    3) The Code
    ===========

    http://aluigi.altervista.org/poc/mohaabof.zip

    #######################################################################

    ======
    4) Fix
    ======

    No fix.
    Developers at 2015 have been noticed the 1 July 2004 but the support of
    the game is in the hands of Electronic Arts (I'm still waiting a patch
    or at least an answer from EA about the buffer-overflow in Need for
    Speed Hot Pursuit 2 noticed tons of months ago...).

    However I have developed an universal patch that can be applied to any
    version, game and type of server/client (dedicated or normal, with the
    only requirement that naturally the executable of the normal version
    must be decrypted, aka No-CD) because fortunately the part of code to
    modify is ever exactly the same.
    Actually my patch is available only for the Win32 executables, not for
    Linux:

      http://aluigi.altervista.org/patches/mohaaboffix.zip

    All the details about the fix are in the text file inside the package
    however the original bugged function contains a lot of slow code so I
    have optimized it for gaining the space where placing my patched code
    and I have also saved 38 bytes.

    #######################################################################

    ---
    Luigi Auriemma
    http://aluigi.altervista.org


  • Next message: Iván Rodriguez Almuiña: "utilman.exe exploit"

    Relevant Pages

    • Medal of Honor remote buffer-overflow
      ... Medal of Honor is a famous military FPS game located in the World War ... In Allied Assault 1.11v9 dedicated server for Win32 we can see the ... The most dangerous method to exploit this vulnerability is through the ... Naturally also clients are vulnerables but the bugged function is used ...
      (Bugtraq)
    • [Full-Disclosure] Medal of Honor remote buffer-overflow
      ... Medal of Honor is a famous military FPS game located in the World War ... In Allied Assault 1.11v9 dedicated server for Win32 we can see the ... The most dangerous method to exploit this vulnerability is through the ... Naturally also clients are vulnerables but the bugged function is used ...
      (Full-Disclosure)
    • iDefense Security Advisory
      ... Bufferoverflow in 0verkill Server ... 0verkill is a client-server 2d deathmatch-like game in ASCII art. ... very serious vulnerability and should be taken seriously. ... detect this version of the attack, ...
      (Bugtraq)
    • [Full-Disclosure] iDefense Security Advisory
      ... Bufferoverflow in 0verkill Server ... 0verkill is a client-server 2d deathmatch-like game in ASCII art. ... very serious vulnerability and should be taken seriously. ... detect this version of the attack, ...
      (Full-Disclosure)
    • SecurityFocus Microsoft Newsletter #142
      ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
      (Focus-Microsoft)