exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

nfshp2cbof-adv.txt

nfshp2cbof-adv.txt
Posted Jan 23, 2004
Authored by Luigi Auriemma | Site aluigi.altervista.org

Need for Speed Hot Pursuit 2 has a vulnerable client that is susceptible to a buffer overflow attack by a hostile server. The buffer overflow occurs when too long of a string is sent back to the client during an information query. Electronic Arts has not bothered to even return e-mails regarding this problem.

tags | advisory, overflow
SHA-256 | 88337ed5ab04b4df56e133195ed4bc9fac508d02013e72364ab9d389beedd45e

nfshp2cbof-adv.txt

Change Mirror Download
#######################################################################

Luigi Auriemma

Application: Need for Speed Hot Pursuit 2
http://www.eagames.com/pccd/nfshp2/home.jsp
Versions: <= 242
Platforms: Windows
Bug: client's buffer-overflow
Risk: critical
Exploitation: remote
Date: 22 Jan 2004
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Need for Speed Hot Pursuit 2 (NFSHP2) is a nice racing game developed
by Blackboxgames (http://www.blackboxgames.com).
Who don't know the Need for Speed saga???


#######################################################################

======
2) Bug
======


The NFSHP2's client is vulnerable to a buffer-overflow caused by a too
long string in the informations replied by the server.
The information queries are made automatically by each client that
enters in the Multiplayer screen of the game, in fact each packet will
be sent to all the servers found in the master server's list and then
the clients will wait for the replies.

The problem is just in these answers and exactly in the values after
the following parameters:
gamename, gamever, hostname, gametype, mapname and gamemode

The following is one of the vulnerable pieces of code permitting the
buffer-overflow, coming directly from the decoded NFSHP2 242 exe:

:0050558D 6814206E00 push 006E2014
:00505592 6800E86900 push 0069E800 ("mapname")
:00505597 56 push esi
:00505598 E873930000 call 0050E910
:0050559D 83C40C add esp, 0000000C
:005055A0 8D9344010000 lea edx, dword[ebx+00000144]
:005055A6 8A08 mov cl, byte[eax]
:005055A8 40 inc eax
:005055A9 880A mov byte[edx], cl
:005055AB 42 inc edx
:005055AC 84C9 test cl, cl
:005055AE 75F6 jne 005055A6

Simple explaination:
- the code searchs for the string "mapname" in the packet
- it starts to copy the value after "mapname" to a newer smaller buffer

As said before, the clients automatically request informations to the
servers meaning that if exists at least one malicious fake server
nobody will be able to play online and moreover the attacker has the
possibility to execute malicious code or take control over all the
existent clients.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/nfshp2cbof.zip


#######################################################################

======
4) Fix
======


No fix.

Unfortunally (as noted by other researchers in the past) Electronic
Arts has an incredibly bad support, there are no e-mail addresses for
bug signalations and the web form (the only way) is completely useless.
I have also tried to directly contact repeatedly the tech support and
some of the developers of Blackboxgames (surfing on Google and finding
e-mail addresses) but I have never received a reply.

Time doesn't fix bugs, people do.


#######################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close