####################################################################### Luigi Auriemma Application: Refractor 2 engine Games: Battlefield 2 <= 1.41 (aka 1.1.2965-797) http://www.battlefield.ea.com/battlefield/bf2/ Battlefield 2142 <= 1.50 (aka 1.10.48.0) http://battlefield.ea.com/battlefield/bf2142/ ... other games developed with the same engine could be vulnerable too but in my tests I wasn't able to replicate the problem on Battlefield 1942 (the old Refractor 1 engine that in any case must be not excluded as possibly vulnerable) and I haven't tested games like Battlefield Heroes mainly because don't exist public dedicated server software but only servers hosted by official EA partners Platforms: Windows and Linux Bug: endless loop (possibly 2 distinct vulnerabilities) Exploitation: remote, versus server Date: 06 Jun 2010 Author: Francis Lavoie-Renaud Advisory: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Battlefield series is one of the most famous and played series of games deeply devoted to multiplayer gaming. The series is developed by DICE (http://www.dice.se) and published by Electronic Arts. ####################################################################### ====== 2) Bug ====== This is a reference advisory for a vulnerability which was reported to me by Francis Lavoie-Renaud exactly one year ago: http://old.zenhax.com/battlefield-2-crash-t927.html The problem is an endless loop that freezes the whole server with CPU at 100% due to the wrong handling of a malformed bitstream (the engine works with fields composed by bits of dynamic length). Note that in my tests during the patching of the problem I noticed the presence of a secondary vulnerability (a NULL pointer) that happened after the manual fixing of the loop bug but in any case doesn't matter because it can't be "reached" in normal conditions. The attacker must be able to partially join the server to exploit the vulnerability (IP not banned, knowing the password if used and server not full) but is NOT needed to have a valid cdkey because the bug is exploited before such check. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/bf2loop.zip ####################################################################### ====== 4) Fix ====== The problem has been reported by Francis to the developers that released the 1.50 patch only for Battlefield 2 in September 2009. Battlefield 2142 is still unfixed. Note that has been reported a possible crash issue (maybe that NULL pointer I pointed out before?) caused by the usage of the same proof-of-concept versus some 1.50 BF2 servers. Although I can't replicate it here on my test server, the problem has been tested (by third parties) on various patched dedicated servers with the strange effect that after the first crash the problem isn't replicable for a certain amount of time (watch the original thread on my forum for other informations and udpates). The following is the unofficial patch I released one year ago for any vulnerable game: http://aluigi.org/patches/bfloopfix.lpatch #######################################################################