Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:33

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 45 posts ]  Go to page Previous  1, 2
Author Message
 Post subject: Re: Battlefield 2 Crash
PostPosted: 05 Jun 2010 19:53 

Joined: 16 Aug 2007 06:25
Posts: 367
Yea I have tested it on about 3 or 4 public, ranked, online servers running the latest version. And they are dedicated (bf2_dedicated 1).

It seems that after a crash, the server comes back online and isn't vulnerable for some period of time. Then a while later (maybe a few hours) the vulnerability works again. Strange.


Top
 Profile  
 
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 06 Jun 2010 03:50 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm really really strange and also interesting at the same time because means that the bug has not been fixed completely.
are you 100% sure that these servers weren't reachable only by your ip?
maybe they automatically banned your IP and so for you the server was down while for the other people it was all ok


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 06 Jun 2010 05:39 

Joined: 16 Aug 2007 06:25
Posts: 367
I tested this on real servers, with real players on them, running 1.5.3153-802.0, dedicated, ranked, etc. All my tests were successful, but a server only seem to be crashable every hour or so. After a server was crashed and it comes back online, it isn't crashable for a while. Below is what the PoC shows for me.

What I see when I successfully crash a server:
Code:
..
  received: 02 7
..
  received: 07 12
..
  received: 0f 26
....
Error: no reply received from server

Here is what I see after I recently crashed the server:
Code:
..
  received: 02 7
..
  received: 07 12
..
  received: 0f 26
....
  received: 03 6

- you must check the server manually or relaunching this PoC to know if it's
  vulnerable or not


^... and re-running the PoC shows the same message for some time until it's "crashable" again (1 hour?). Not sure what is happening between this time, but the latest version of BF2 is definitely crashable. Don't know about the other games.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 06 Jun 2010 15:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
interesting, maybe it could be something like the NULL pointer I saw after the fixing of the loop bug?
because when you fix the loop one there is a NULL pointer, that's why in my patch I refer to 2 problems.
it could be an hypothesis...

have you verified if they were linux or windows servers or the problem happened immediately or in some circumstances (players, no players, pb, non-dedicated, dedicated and so on)?

in the meantime I have released a reference advisory for tracking the vulnerability:
http://aluigi.org/adv/bf2loop-adv.txt


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 06 Jun 2010 19:02 

Joined: 16 Aug 2007 06:25
Posts: 367
I have been successful on both Linux and Windows servers.
I have been successful on both PB enabled and disabled servers.
All servers were dedicated (I can't find any that are not dedicated).

Though it doesn't make sense why it wouldn't be vulnerable for a short while after it crashes, and then all of a sudden become vulnerable again. All servers behave this way that I have tested. It must be in the way they tried to fix it.


Last edited by SomaFM on 24 Jan 2011 04:53, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jan 2011 04:25 

Joined: 16 Aug 2007 06:25
Posts: 367
I know this thread is quite old, and this bug is probably not much of interest anymore, but it seems there has to be a certain player count for bf2loop to work on a BF2 server with the current version.

I started to look in to this again recently and tried it on a public server. There were 28 players in there. I ran the tool, ran it again, again, again... it kept failing.. 4 or 5 times. I ran it once more, and it crashed the server. Nothing was changed! I looked at the command line history, and noticed the player count had gone up 1 player to 29. So my player (I would guess #30) was able to crash the server.

So it's probably a certain player count and/or being an "even" player that makes this bug still work. I couldn't say for sure, but I found my recent test interesting.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jan 2011 15:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
that's a very interesting information, thanx


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jan 2011 04:29 

Joined: 16 Aug 2007 06:25
Posts: 367
Happy to help! Do you still work with BF2 at all? Any plans to look in to this and make a POC and/or patch?


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jan 2011 12:53 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmmm I guess I will not return on this, anyway let me know if this thing of relaunching the PoC 5 or more times really work with more servers and maybe I can "automatize" it.

maybe make a file.bat with the command in sequence.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 28 Jan 2011 02:46 

Joined: 16 Aug 2007 06:25
Posts: 367
Yea it's really random. I started documenting my player's slot number + how many times I ran the bat script to finally get it to crash for various servers:

64th
28th
16th (2 tries to crash)
18th (2 tries to crash)
22nd
56th
25th
64th

I am starting to think that none of this really matters because I started picking random servers I've never tested before, and on some it took 2-3 tries. It's really hard to pinpoint what the common factor is. The only thing I can see is the amount of time a server has been up.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 28 Jan 2011 04:16 

Joined: 16 Aug 2007 06:25
Posts: 367
Ok so I started up a local server and did some testing. I ran bf2loop in a loop from another pc on the local network, continuously attempting to crash my server. It never did, after hundreds of attempts. As soon as I joined with a player and the round "officially" started, the server crashed the exact same way the others do (right after you see "received: 0f 26").

I started the server again, joined with a player to make it "officially" start, and to make the tickets to start counting down. I left the server open for a few minutes and ran the tool once, and it crashed.

So in the end: the only requirement seems to be that the round has started and the tickets are counting down. You may have to run the tool a few times, but it will eventually crash so long as the round has started. And my crash (at least on a Windows machine) seemed to generate no errors or logs... the server simply closed itself. Hopefully this might give you something to go off of to make a POC & patch :)! BF2 is still a really popular game, so it would be worthwhile.

This also confirms the "player count" theory --> after a server crashes, there is a certain player count requirement before the round officially starts. This is determined by the server. Once this is met and the round starts, the server is crashable.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 28 Jan 2011 13:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
confirmed, it's a NULL pointer:
Code:
eax=00000003 ebx=00000003 ecx=00000000 edx=0013fc5c esi=00000003 edi=0a74d6ec
eip=00616f9f esp=0013fc48 ebp=0013fc54 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
Bf2_w32ded+0x216f9f:
00616f9f 8b01            mov     eax,dword ptr [ecx]  ds:0023:00000000=????????
0:000> u eip
Bf2_w32ded+0x216f9f:
00616f9f 8b01            mov     eax,dword ptr [ecx]
00616fa1 ff9094000000    call    dword ptr [eax+94h]
00616fa7 85db            test    ebx,ebx
00616fa9 8b4f78          mov     ecx,dword ptr [edi+78h]
00616fac 8945fc          mov     dword ptr [ebp-4],eax
00616faf 894d08          mov     dword ptr [ebp+8],ecx
00616fb2 7e28            jle     Bf2_w32ded+0x216fdc (00616fdc)
00616fb4 56              push    esi
0:000> k
ChildEBP RetAddr 
0013fc54 0061737d Bf2_w32ded+0x216f9f
0013fc78 0054881f Bf2_w32ded+0x21737d
0013fc94 004491b3 Bf2_w32ded+0x14881f
0013fdcc 0044c0ee Bf2_w32ded+0x491b3
0013fde4 00403829 Bf2_w32ded+0x4c0ee
0013fe58 00401679 Bf2_w32ded+0x3829
0013fec0 0040182e Bf2_w32ded+0x1679
0013ff08 004018c9 Bf2_w32ded+0x182e
uhmmm being a null pointer a patch would be possible, I will think about it


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 19 Feb 2011 02:27 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
released the advisory and updated the proof-of-concept:
http://aluigi.org/adv/bf2null-adv.txt

from my test the problem happens when a real player leaves the server so the step-by-step in the "The Code" section of the advisory should work ever.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 20 Feb 2011 00:27 

Joined: 25 Jan 2011 21:39
Posts: 5
Ive tried this on my 1.0.2442.0(1.0) BF2 server and the times the server crashes seems to be random and on 1.0.
Ive created a .bat file which runs bf2loop 3 times, and the server usually crashes the second time, but sometimes 1st time or 3rd time(and rarely not at all).

It doesnt seem to matter(atleast not 1.0) if anyone have joined the server before you execute bf2loop, on 1.0 it can crash on PreGame, Playing, EndGame or Paused.(From my tests atleast)
(Im on 1.0 because thats where my clan's servers are)


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 09 Apr 2011 21:42 

Joined: 16 Aug 2007 06:25
Posts: 367
BF2AHD fixes this bug (bf2ahd.com), as well as many other common BF2 problems.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 45 posts ]  Go to page Previous  1, 2

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: