####################################################################### Luigi Auriemma Application: Refractor 2 engine Games: Battlefield 2 <= 1.50 (aka 1.5.3153-802.0) http://www.battlefield.ea.com/battlefield/bf2/ Battlefield 2142 <= 1.51 (aka 1.10.112.0) http://battlefield.ea.com/battlefield/bf2142/ ... other games developed with the same engine could be vulnerable too but in my tests I wasn't able to replicate the problem on Battlefield 1942 (the old Refractor 1 engine that in any case must be not excluded as possibly vulnerable) and I haven't tested games like Battlefield Heroes mainly because don't exist public dedicated server software but only servers hosted by official EA partners Platforms: Windows and Linux Bug: NULL pointer Exploitation: remote, versus server Date: 19 Feb 2011 Authors: SomaFM, Luigi Auriemma and Francis Lavoie-Renaud Advisory: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Battlefield series is one of the most famous and played series of games deeply devoted to multiplayer gaming. The series is developed by DICE (http://www.dice.se) and published by Electronic Arts. ####################################################################### ====== 2) Bug ====== In some conditions that seem dependent by the players in the server it's possible to cause a NULL pointer dereference that crashes the server: bf2_w32ded+0x216f9f: 00616f9f 8b01 mov eax,dword ptr [ecx] ds:0023:00000000 00616fa1 ff9094000000 call dword ptr [eax+94h] From my tests the NULL pointer is reached when the same attacker or another player leaves the server while the old bf2loop proof-of-concept is running versus the server where that old bug has been patched. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/bf2loop.zip How to replicate the vulnerability: - join the server with the normal game client it's not needed to play in it, it's enough just to join it till the menu in which selecting the base where spawning - launch bf2loop (version 0.2) versus the server it will automatically continue to test the server till its crash - disconnect the game client from the server - the server will crash immediately ####################################################################### ====== 4) Fix ====== No fix. #######################################################################