[mohaa] Fw: Medal of Honor remote buffer-overflow

Mon Jul 19 16:35:43 EDT 2004

Great job man, But i'm running a linux server, and de hack works. Is there
going to be a fix for linux to???

Greetings
Quint

----- Original Message ----- 
From: "MoRPHeUs" <mohaa-icculus.maks3w at virtualplanets.net>
To: <mohaa at icculus.org>
Sent: Sunday, July 18, 2004 20:36
Subject: [mohaa] Fw: Medal of Honor remote buffer-overflow

>
> ----- Original Message ----- 
> From: "Luigi Auriemma" <aluigi at autistici.org>
> To: <bugtraq at securityfocus.com>; <bugs at securitytracker.com>;
> <news at securiteam.com>; <full-disclosure at lists.netsys.com>
> Sent: Saturday, July 17, 2004 6:57 PM
> Subject: Medal of Honor remote buffer-overflow
>
>
> >
> > #######################################################################
> >
> >                              Luigi Auriemma
> >
> > Application:  Medal of Honor
> >               http://mohaa.ea.com
> > Versions:     Allied Assault <= 1.11v9
> >               Breakthrough   <= 2.40b
> >               Spearhead      <= 2.15
> > Platforms:    Windows and Linux
> > Bug:          buffer overflow
> > Risk:         critical
> > Exploitation: remote, versus server
> >               (clients are vulnerables only in LAN)
> > Date:         17 July 2004
> > Author:       Luigi Auriemma
> >               e-mail: aluigi at altervista.org
> >               web:    http://aluigi.altervista.org
> >
> >
> > #######################################################################
> >
> >
> > 1) Introduction
> > 2) Bug
> > 3) The Code
> > 4) Fix
> >
> >
> > #######################################################################
> >
> > ===============
> > 1) Introduction
> > ===============
> >
> >
> > Medal of Honor is a famous military FPS game located in the World War
> > II.
> > It has been developed by 2015 (http://www.2015.com) and was originally
> > released at the beginning of 2002 but other expansion packs have been
> > released later.
> >
> >
> > #######################################################################
> >
> > ======
> > 2) Bug
> > ======
> >
> >
> > The problem is a classical buffer-overflow located in different parts
> > of the game code, but the first function vulnerable is the manager of
> > the queries/replies that checks for slashs and NULL bytes but doesn't
> > check the size of the values before copying them in a new buffer.
> >
> > In Allied Assault 1.11v9 dedicated server for Win32 we can see the
> > first bugged function at offset 0x00428f20 where the return address
> > (0x00429291) is overwritten by the client's data if it contains a value
> > of 520 bytes or more (1032 on the Linux version).
> >
> > The data causing the overflow can be used in a lot of packet types, in
> > fact it can be in the "getinfo" query, in the "connect" packet and in
> > others.
> > The most dangerous method to exploit this vulnerability is through the
> > getinfo query because it is a single UDP packet that the server cannot
> > block and the attacker can also spoof it.
> >
> > Naturally also clients are vulnerables but the bugged function is used
> > only for LAN queries, in fact online the clients use the standard
> > Gamespy protocol that is not vulnerable.
> >
> >
> > #######################################################################
> >
> > ===========
> > 3) The Code
> > ===========
> >
> >
> > http://aluigi.altervista.org/poc/mohaabof.zip
> >
> >
> > #######################################################################
> >
> > ======
> > 4) Fix
> > ======
> >
> >
> > No fix.
> > Developers at 2015 have been noticed the 1 July 2004 but the support of
> > the game is in the hands of Electronic Arts (I'm still waiting a patch
> > or at least an answer from EA about the buffer-overflow in Need for
> > Speed Hot Pursuit 2 noticed tons of months ago...).
> >
> > However I have developed an universal patch that can be applied to any
> > version, game and type of server/client (dedicated or normal, with the
> > only requirement that naturally the executable of the normal version
> > must be decrypted, aka No-CD) because fortunately the part of code to
> > modify is ever exactly the same.
> > Actually my patch is available only for the Win32 executables, not for
> > Linux:
> >
> >   http://aluigi.altervista.org/patches/mohaaboffix.zip
> >
> > All the details about the fix are in the text file inside the package
> > however the original bugged function contains a lot of slow code so I
> > have optimized it for gaining the space where placing my patched code
> > and I have also saved 38 bytes.
> >
> >
> > #######################################################################
> >
> >
> > --- 
> > Luigi Auriemma
> > http://aluigi.altervista.org
>
>