####################################################################### Luigi Auriemma Application: Need for Speed Hot Pursuit 2 http://www.eagames.com/pccd/nfshp2/home.jsp Versions: <= 242 Platforms: Windows Bug: client's buffer-overflow Exploitation: remote Date: 22 Jan 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Need for Speed Hot Pursuit 2 (NFSHP2) is a nice racing game developed by Blackboxgames (http://www.blackboxgames.com) and published by Electronic Arts (http://www.ea.com). It has been released in October 2002. ####################################################################### ====== 2) Bug ====== The NFSHP2's client is vulnerable to a buffer-overflow caused by a too long string in the informations replied by the server. The information queries are made automatically by each client that enters in the Multiplayer screen of the game, in fact each packet will be sent to all the servers found in the master server's list and then the clients will wait for the replies. The problem is just in these answers and exactly in the values after the following parameters: gamename, gamever, hostname, gametype, mapname and gamemode The following is one of the vulnerable pieces of code permitting the buffer-overflow, coming directly from the decoded NFSHP2 242 exe: :0050558D 6814206E00 push 006E2014 :00505592 6800E86900 push 0069E800 ("mapname") :00505597 56 push esi :00505598 E873930000 call 0050E910 :0050559D 83C40C add esp, 0000000C :005055A0 8D9344010000 lea edx, dword[ebx+00000144] :005055A6 8A08 mov cl, byte[eax] :005055A8 40 inc eax :005055A9 880A mov byte[edx], cl :005055AB 42 inc edx :005055AC 84C9 test cl, cl :005055AE 75F6 jne 005055A6 Simple explaination: - the code searchs for the string "mapname" in the packet - it starts to copy the value after "mapname" to a newer smaller buffer As said before, the clients automatically request informations to the servers meaning that if exists at least one malicious fake server nobody will be able to play online and moreover the attacker has the possibility to execute malicious code or take control over all the existent clients. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/nfshp2cbof.zip ####################################################################### ====== 4) Fix ====== No fix. Unfortunately (as noted by other researchers in the past) Electronic Arts has an incredibly bad support, there are no e-mail addresses for bug reports and the web form (the only way) is completely useless. I have also tried to directly contact repeatedly the tech support and some of the developers of Blackboxgames (surfing on Google and finding e-mail addresses) but I have never received a reply. Time doesn't fix bugs, people do. #######################################################################