Fw: Medal of Honor remote buffer-overflow
MoRPHeUs
mohaa-icculus.maks3w at virtualplanets.net
Sun Jul 18 14:36:02 EDT 2004
----- Original Message -----
From: "Luigi Auriemma" <aluigi at autistici.org>
To: <bugtraq at securityfocus.com>; <bugs at securitytracker.com>;
<news at securiteam.com>; <full-disclosure at lists.netsys.com>
Sent: Saturday, July 17, 2004 6:57 PM
Subject: Medal of Honor remote buffer-overflow
>
> #######################################################################
>
> Luigi Auriemma
>
> Application: Medal of Honor
> http://mohaa.ea.com
> Versions: Allied Assault <= 1.11v9
> Breakthrough <= 2.40b
> Spearhead <= 2.15
> Platforms: Windows and Linux
> Bug: buffer overflow
> Risk: critical
> Exploitation: remote, versus server
> (clients are vulnerables only in LAN)
> Date: 17 July 2004
> Author: Luigi Auriemma
> e-mail: aluigi at altervista.org
> web: http://aluigi.altervista.org
>
>
> #######################################################################
>
>
> 1) Introduction
> 2) Bug
> 3) The Code
> 4) Fix
>
>
> #######################################################################
>
> ===============
> 1) Introduction
> ===============
>
>
> Medal of Honor is a famous military FPS game located in the World War
> II.
> It has been developed by 2015 (http://www.2015.com) and was originally
> released at the beginning of 2002 but other expansion packs have been
> released later.
>
>
> #######################################################################
>
> ======
> 2) Bug
> ======
>
>
> The problem is a classical buffer-overflow located in different parts
> of the game code, but the first function vulnerable is the manager of
> the queries/replies that checks for slashs and NULL bytes but doesn't
> check the size of the values before copying them in a new buffer.
>
> In Allied Assault 1.11v9 dedicated server for Win32 we can see the
> first bugged function at offset 0x00428f20 where the return address
> (0x00429291) is overwritten by the client's data if it contains a value
> of 520 bytes or more (1032 on the Linux version).
>
> The data causing the overflow can be used in a lot of packet types, in
> fact it can be in the "getinfo" query, in the "connect" packet and in
> others.
> The most dangerous method to exploit this vulnerability is through the
> getinfo query because it is a single UDP packet that the server cannot
> block and the attacker can also spoof it.
>
> Naturally also clients are vulnerables but the bugged function is used
> only for LAN queries, in fact online the clients use the standard
> Gamespy protocol that is not vulnerable.
>
>
> #######################################################################
>
> ===========
> 3) The Code
> ===========
>
>
> http://aluigi.altervista.org/poc/mohaabof.zip
>
>
> #######################################################################
>
> ======
> 4) Fix
> ======
>
>
> No fix.
> Developers at 2015 have been noticed the 1 July 2004 but the support of
> the game is in the hands of Electronic Arts (I'm still waiting a patch
> or at least an answer from EA about the buffer-overflow in Need for
> Speed Hot Pursuit 2 noticed tons of months ago...).
>
> However I have developed an universal patch that can be applied to any
> version, game and type of server/client (dedicated or normal, with the
> only requirement that naturally the executable of the normal version
> must be decrypted, aka No-CD) because fortunately the part of code to
> modify is ever exactly the same.
> Actually my patch is available only for the Win32 executables, not for
> Linux:
>
> http://aluigi.altervista.org/patches/mohaaboffix.zip
>
> All the details about the fix are in the text file inside the package
> however the original bugged function contains a lot of slow code so I
> have optimized it for gaining the space where placing my patched code
> and I have also saved 38 bytes.
>
>
> #######################################################################
>
>
> ---
> Luigi Auriemma
> http://aluigi.altervista.org
More information about the Mohaa
mailing list