<<< Date Index >>>     <<< Thread Index >>>

Medal of Honor remote buffer-overflow



#######################################################################

                             Luigi Auriemma

Application:  Medal of Honor
              http://mohaa.ea.com
Versions:     Allied Assault <= 1.11v9
              Breakthrough   <= 2.40b
              Spearhead      <= 2.15
Platforms:    Windows and Linux
Bug:          buffer overflow
Risk:         critical
Exploitation: remote, versus server
              (clients are vulnerables only in LAN)
Date:         17 July 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Medal of Honor is a famous military FPS game located in the World War
II.
It has been developed by 2015 (http://www.2015.com) and was originally
released at the beginning of 2002 but other expansion packs have been
released later.


#######################################################################

======
2) Bug
======


The problem is a classical buffer-overflow located in different parts
of the game code, but the first function vulnerable is the manager of
the queries/replies that checks for slashs and NULL bytes but doesn't
check the size of the values before copying them in a new buffer.

In Allied Assault 1.11v9 dedicated server for Win32 we can see the
first bugged function at offset 0x00428f20 where the return address
(0x00429291) is overwritten by the client's data if it contains a value
of 520 bytes or more (1032 on the Linux version).

The data causing the overflow can be used in a lot of packet types, in
fact it can be in the "getinfo" query, in the "connect" packet and in
others.
The most dangerous method to exploit this vulnerability is through the
getinfo query because it is a single UDP packet that the server cannot
block and the attacker can also spoof it.

Naturally also clients are vulnerables but the bugged function is used
only for LAN queries, in fact online the clients use the standard
Gamespy protocol that is not vulnerable.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/mohaabof.zip


#######################################################################

======
4) Fix
======


No fix.
Developers at 2015 have been noticed the 1 July 2004 but the support of
the game is in the hands of Electronic Arts (I'm still waiting a patch
or at least an answer from EA about the buffer-overflow in Need for
Speed Hot Pursuit 2 noticed tons of months ago...).

However I have developed an universal patch that can be applied to any
version, game and type of server/client (dedicated or normal, with the
only requirement that naturally the executable of the normal version
must be decrypted, aka No-CD) because fortunately the part of code to
modify is ever exactly the same.
Actually my patch is available only for the Win32 executables, not for
Linux:

  http://aluigi.altervista.org/patches/mohaaboffix.zip

All the details about the fix are in the text file inside the package
however the original bugged function contains a lot of slow code so I
have optimized it for gaining the space where placing my patched code
and I have also saved 38 bytes.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org