<<< Date Index >>>     <<< Thread Index >>>

Need for Speed Hot pursuit 2 <= 242 client's buffer overflow



#######################################################################

                             Luigi Auriemma

Application:  Need for Speed Hot Pursuit 2
              http://www.eagames.com/pccd/nfshp2/home.jsp
Versions:     <= 242
Platforms:    Windows
Bug:          client's buffer-overflow
Risk:         critical
Exploitation: remote
Date:         22 Jan 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Need for Speed Hot Pursuit 2 (NFSHP2) is a nice racing game developed
by Blackboxgames (http://www.blackboxgames.com).
Who don't know the Need for Speed saga???


#######################################################################

======
2) Bug
======


The NFSHP2's client is vulnerable to a buffer-overflow caused by a too
long string in the informations replied by the server.
The information queries are made automatically by each client that
enters in the Multiplayer screen of the game, in fact each packet will
be sent to all the servers found in the master server's list and then
the clients will wait for the replies.

The problem is just in these answers and exactly in the values after
the following parameters:
gamename, gamever, hostname, gametype, mapname and gamemode

The following is one of the vulnerable pieces of code permitting the
buffer-overflow, coming directly from the decoded NFSHP2 242 exe:

:0050558D 6814206E00              push 006E2014
:00505592 6800E86900              push 0069E800 ("mapname")
:00505597 56                      push esi
:00505598 E873930000              call 0050E910
:0050559D 83C40C                  add esp, 0000000C
:005055A0 8D9344010000            lea edx, dword[ebx+00000144]
:005055A6 8A08                    mov cl, byte[eax]
:005055A8 40                      inc eax
:005055A9 880A                    mov byte[edx], cl
:005055AB 42                      inc edx
:005055AC 84C9                    test cl, cl
:005055AE 75F6                    jne 005055A6

Simple explaination:
- the code searchs for the string "mapname" in the packet
- it starts to copy the value after "mapname" to a newer smaller buffer

As said before, the clients automatically request informations to the
servers meaning that if exists at least one malicious fake server
nobody will be able to play online and moreover the attacker has the
possibility to execute malicious code or take control over all the
existent clients.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/nfshp2cbof.zip


#######################################################################

======
4) Fix
======


No fix.

Unfortunally (as noted by other researchers in the past) Electronic
Arts has an incredibly bad support, there are no e-mail addresses for
bug signalations and the web form (the only way) is completely useless.
I have also tried to directly contact repeatedly the tech support and
some of the developers of Blackboxgames (surfing on Google and finding
e-mail addresses) but I have never received a reply.

Time doesn't fix bugs, people do.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org