[NT] Medal of Honor Remote Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 07/22/04

  • Next message: SecuriTeam: "[UNIX] phpBB HTTP Response Splitting and Cross Site Scripting Vulnerabilities" 
    To: list@securiteam.com
Date: 22 Jul 2004 18:06:25 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Medal of Honor Remote Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

    Medal of Honor is a famous military FPS game located in the World War II.
    It has been developed by <http://www.2015.com> 2015 and was originally
    released at the beginning of 2002 but other expansion packs have been
    released since then.

    The game engine of Medal of Honor contains several code instances which
    are vulnerable to a buffer overflow. This is caused due to insufficient
    length checks in the engine code.

    DETAILS

    Vulnerable Systems:
     * Medal of Honor Allied Assault version 1.11b9 and prior
     * Medal of Honor Breakthrough version 2.40b
     * Medal of Honor Spearhead version 2.15

    There are many instances of buffer overflows due to inadequate size checks
    on incoming input from packets. The first noticeable vulnerable code is in
    the manager of queries/replies, where metacharacters such as NULL and
    slashes are being filtered out. There is no size check in that code
    portion and a carefully crafter packet can be used for a classic buffer
    overflow.

    For example, in the Win32 version of the Allied Assault dedicated server
    the bugged function is at offset 0x00428f20 where the normal return
    address (0x00429291) can be overwritten with client-supplied data if the
    size of the data exceeds 520 bytes. About 1032 bytes are required for the
    Linux version of the server.

    The malicious data can be sent to the server by issuing many types of
    queries, hence many types of packets. The easiest to use are the "getinfo"
    and "connect" packet types, as the "getinfo" query is comprised of a
    single UDP packet and is therefore easy to forge and the server cannot
    block it. It is important to note that clients of the game are also
    vulnerable but only in the LAN segment where UDP is used most often.

    Across the Internet, clients are not vulnerable because they use the
    GameSpy protocol. However, the servers are vulnerable. A proof-of-concept
    code can be downloaded from
    <http://aluigi.altervista.org/poc/mohaabof.zip>
    http://aluigi.altervista.org/poc/mohaabof.zip.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] phpBB HTTP Response Splitting and Cross Site Scripting Vulnerabilities"

    Relevant Pages