####################################################################### Luigi Auriemma Application: Medal of Honor http://mohaa.ea.com Versions: Allied Assault <= 1.11v9 Breakthrough <= 2.40b Spearhead <= 2.15 Platforms: Windows, Linux and MacOS Bug: buffer overflow Exploitation: remote, versus server (clients are vulnerables only in LAN) Date: 17 July 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Medal of Honor is a famous military FPS game located in the World War II. It has been developed by 2015 (http://www.2015.com) and published by Electronic Arts (http://www.ea.com); was originally released at the beginning of 2002 but other expansion packs have been released later. ####################################################################### ====== 2) Bug ====== The problem is a classical buffer-overflow located in different parts of the game code, but the first function vulnerable is the manager of the queries/replies that checks for slashs and NULL bytes but doesn't check the size of the values before copying them in a new buffer. In Allied Assault 1.11v9 dedicated server for Win32 we can see the first bugged function at offset 0x00428f20 where the return address (0x00429291) is overwritten by the client's data if it contains a value of 520 bytes or more (1032 on the Linux version). The data causing the overflow can be used in a lot of packet types, in fact it can be in the "getinfo" query, in the "connect" packet and in others. The most dangerous method to exploit this vulnerability is through the getinfo query because it is a single UDP packet that the server cannot block and the attacker can also spoof it. Naturally also clients are vulnerables but the bugged function is used only for LAN queries, in fact online the clients use the standard Gamespy protocol that is not vulnerable. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/mohaabof.zip ####################################################################### ====== 4) Fix ====== No fix. Developers at 2015 have been noticed the 1 July 2004 but the support of the game is in the hands of Electronic Arts (I'm still waiting a patch or at least an answer from EA about the buffer-overflow in Need for Speed Hot Pursuit 2 noticed tons of months ago...). However I have developed an universal patch that can be applied to any version, game and type of server/client (dedicated or normal, with the only requirement that naturally the executable of the normal version must be decrypted, aka No-CD) because fortunately the part of code to modify is ever exactly the same. Currently my patch is available only for the Win32 executables, not for Linux: http://aluigi.org/patches/mohaaboffix.lpatch All the details about the fix are in the text file inside the package however the original bugged function contains a lot of slow code so I have optimized it for gaining the space where placing my patched code and I have also saved 38 bytes. Linux: http://icculus.org/betas/mohaa/ #######################################################################