[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040122164718.71483850.aluigi@altervista.org>
Date: Thu, 22 Jan 2004 16:47:18 +0000
From: Luigi Auriemma <aluigi@...ervista.org>
To: bugtraq@...urityfocus.com
Subject: Need for Speed Hot pursuit 2 <= 242 client's buffer overflow
#######################################################################
Luigi Auriemma
Application: Need for Speed Hot Pursuit 2
http://www.eagames.com/pccd/nfshp2/home.jsp
Versions: <= 242
Platforms: Windows
Bug: client's buffer-overflow
Risk: critical
Exploitation: remote
Date: 22 Jan 2004
Author: Luigi Auriemma
e-mail: aluigi@...ervista.org
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Need for Speed Hot Pursuit 2 (NFSHP2) is a nice racing game developed
by Blackboxgames (http://www.blackboxgames.com).
Who don't know the Need for Speed saga???
#######################################################################
======
2) Bug
======
The NFSHP2's client is vulnerable to a buffer-overflow caused by a too
long string in the informations replied by the server.
The information queries are made automatically by each client that
enters in the Multiplayer screen of the game, in fact each packet will
be sent to all the servers found in the master server's list and then
the clients will wait for the replies.
The problem is just in these answers and exactly in the values after
the following parameters:
gamename, gamever, hostname, gametype, mapname and gamemode
The following is one of the vulnerable pieces of code permitting the
buffer-overflow, coming directly from the decoded NFSHP2 242 exe:
:0050558D 6814206E00 push 006E2014
:00505592 6800E86900 push 0069E800 ("mapname")
:00505597 56 push esi
:00505598 E873930000 call 0050E910
:0050559D 83C40C add esp, 0000000C
:005055A0 8D9344010000 lea edx, dword[ebx+00000144]
:005055A6 8A08 mov cl, byte[eax]
:005055A8 40 inc eax
:005055A9 880A mov byte[edx], cl
:005055AB 42 inc edx
:005055AC 84C9 test cl, cl
:005055AE 75F6 jne 005055A6
Simple explaination:
- the code searchs for the string "mapname" in the packet
- it starts to copy the value after "mapname" to a newer smaller buffer
As said before, the clients automatically request informations to the
servers meaning that if exists at least one malicious fake server
nobody will be able to play online and moreover the attacker has the
possibility to execute malicious code or take control over all the
existent clients.
#######################################################################
===========
3) The Code
===========
http://aluigi.altervista.org/poc/nfshp2cbof.zip
#######################################################################
======
4) Fix
======
No fix.
Unfortunally (as noted by other researchers in the past) Electronic
Arts has an incredibly bad support, there are no e-mail addresses for
bug signalations and the web form (the only way) is completely useless.
I have also tried to directly contact repeatedly the tech support and
some of the developers of Blackboxgames (surfing on Google and finding
e-mail addresses) but I have never received a reply.
Time doesn't fix bugs, people do.
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org
Powered by blists - more mailing lists