Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:59

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 45 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: Battlefield 2 Crash
PostPosted: 24 Jun 2009 20:26 

Joined: 26 Apr 2008 21:50
Posts: 27
Hello buddies,

By trying to emitate the Battlefield 2 protocol, I've made a mistake and it seem to crash the server. The server seem to hang and completly crash. I've also reported this bug to Electronic Arts and they've fixed it in the 1.5 patch. I dont know how it is caused, but a quick look into seem to be a infinite loop because the packet len is less than expected(?).
I'm looking in doing a patch for the 1.4 binary to avoid my server being crashed.
Here I'm sending only to luigi because someone may use it in a bad faith to crash everyone, which is not what we really want to.
( I've used VS08 to compile that, dont know if there needs any ajustement for GCC )

( Hey luigi, keep the work, I'm reading you every week ! )


Last edited by Francis on 24 Jun 2009 20:40, edited 1 time in total.

Top
 Profile  
 
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 20:39 

Joined: 26 Apr 2008 21:50
Posts: 27
Here more info, it seem to hang at address 0x0044B410 by looping infinitely


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 21:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
eh eh eh seems that my bf2fp and bf2_sniff were very useful :)
I will take a look at the code and the effects on the server and then I will let you know if I figure the exact cause of the problem.

anyway it's strange that EA didn't credit you in the changelog of the patch, indeed in my experience EA (ok not EA but that specific part who worked on bf1942) was one of the very very restricted amount of developers who credited me offhandedly for a security vulnerability.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 21:39 

Joined: 26 Apr 2008 21:50
Posts: 27
Also I've find out why some packet have unlogicial structures, because the main server and client sometimes move the write and read pointer, More soon in a new thread. But Ea and Gamespy are very big companies which doesnt care about crediting someone, they think that we all belong them and they never ask themself why there so many vulnerabilities on their software. But for a fix I dont want to attach a dll to the process in order to patch it, but I rather want to get a new bf2_w32ded patched, but I'm not enough familiar with assembly.
I remember to have borrow this software to someone to show him it, he used it in a bad faith and a bunch of server had crash for about 12 hours. Someone finally took a wireshark and found out his ip address, gave it to EA Games, Game Spy blocked it on their router and a bunch of ea partners blocked it too. I remember too he were unable to visit your website, because your hoster is also hosting battlefiedl 2 server which was getting hit too. I've fixed my server for this software by exact matching the packet to avoid him to crash me and friends servers, but there are many others ways in doing it. Another less dirty fix would be to exit the assembly code when it loop for more than hundred times.

EDIT: I've included a quick loader to load the bf2_w32ded and attach it a dll, should be easily ported to C because this is only two simple functions :)


Attachments:
loader.cpp [1.74 KiB]
Downloaded 429 times


Last edited by Francis on 24 Jun 2009 21:50, edited 1 time in total.
Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 21:48 

Joined: 16 Aug 2007 06:25
Posts: 367
Very interesting, nice discovery Francis. Hope you or Luigi can release a third party fix that server admins can use until the new patch comes out.

Do players need a valid cd-key to crash servers, or can this crash be performed before the cd-key check? If anyone can crash it, then that's a big problem. But if you need a valid cd-key to crash, then admins could ban the cd-key and EA could disable cd-keys for offenders (such as the person you previously mentioned).


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 22:00 

Joined: 26 Apr 2008 21:50
Posts: 27
The crash is before the cdkey check, and mine is doing the crash hang packet after the first checkup (which check for the server password), right in the cdkey check packet by providing a gilberish gamespie cdkey hash.
I've also tried to use the 1.5 patch with the 1.4 client by putting the 1.4 in the checkup. It works well but some functionality seem to not work like the chat. I can make a quick fix but it will be dirtier than Luigi, like to exit the loop after hundred iteration.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 22:04 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
there is one thing which is not clear (at least for me because I have never played this game and I'm downloading the big patches now), isn't the patch 1.5 intended also for the servers?
as you have said it fixes the bug so where is the problem?
because clients are all 1.4 and so can't join a 1.5 server?


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 22:10 

Joined: 26 Apr 2008 21:50
Posts: 27
aluigi wrote:
there is one thing which is not clear (at least for me because I have never played this game and I'm downloading the big patches now), isn't the patch 1.5 intended also for the servers?
as you have said it fixes the bug so where is the problem?
because clients are all 1.4 and so can't join a 1.5 server?

Yes, the big 1.5 patch is fixing the bug, but the big patch 1.5 is not ready out, still in "beta phase" so everyone is playing 1.4 right now (server and client). And yes, we need the same client and server but I've cheated the server version check phase to make accept 1.4 client for a 1.5 server, but chat is not working in that case. Just beware if you install 1.5 you wont be able to use 1.4 until you reinstall the game. So you should copy the 1.4 folder before patching it.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 22:48 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in the meantime I confirm the bug.
I have not used your code but I have modified bf2fp.c and yes there is an endless loop between 0044b410 and 0044b679 (I guess I have version 1.41, damn EA which assigns versions different to the patch version, anyway it's 1.1.2965-797) and this bug remembers a lot the various loops I found in Halo so an amount of bits to read which is never read and so the loop never terminates.

I guess I will see if it's possible to fix it tomorrow since now it's late.
anyway good job Francis


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 24 Jun 2009 23:21 

Joined: 26 Apr 2008 21:50
Posts: 27
aluigi wrote:
in the meantime I confirm the bug.
I have not used your code but I have modified bf2fp.c and yes there is an endless loop between 0044b410 and 0044b679 (I guess I have version 1.41, damn EA which assigns versions different to the patch version, anyway it's 1.1.2965-797) and this bug remembers a lot the various loops I found in Halo so an amount of bits to read which is never read and so the loop never terminates.

I guess I will see if it's possible to fix it tomorrow since now it's late.
anyway good job Francis

Yes it is indicated 1.1.2965 but I think they forgot to change it.
A part of the credit goes to you, you teached me the "bitstream" principe and with the tool you provided I have fixed about 3 known exploit, so our server is less crashing and everyone is happier :)

Exploits are commonly :
Nickname duplicated crash every client but server, if someone join with a name already present on the server. I've fixed by hooking winsock api and filtering the join packet, and rejecting packet if the user is already present on the server.
Chat spam exploit, when someone quickly spam the chat and disconnect, causing probably out of order udp packet, so client are receiving a chat packet while the player is no longer on the server crash every clients. Packet are filtered and if it is spam, the server ignore the client so it can't quickly disconnect, giving time to clients receiving his crap.
Commander exploit, this one is praticaly a shame. Someone who is not commander can send UAV, Artillery, Resign the current commander and they can even spam the assets and crash everyone (exemple: they spam the vehicles drop so there a hundred vehicles drop at once thus creating lags). I've put an extra hook so it check the commander bit if it is 1.

These fix and the code are quick N dirty, I've did it for a friend of mine server which is having alot of players and it is running well. I've also noticed the BF2AHD, "Battlefield 2 Anti-Hack Deamon", they sell it for alot of money and it is vulnerable to this packet hang bug, I've tested it out :)


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 00:30 

Joined: 16 Aug 2007 06:25
Posts: 367
Ah yes, the commander exploit :). Many online cheats take advantage of this bug. I heard they are patching it in 1.5.

The duplicate nickname is also interesting. By using Luigi's gs_login_server tool you can pretty much be whatever name you wish since you can bypass the real gamespy login servers.. so I would assume it can cause a crash if you just pretend to be someone who is already on the server.

Great work overall. I hope they credit you in 1.5 as they did for Luigi in BF1942. Keep it up!


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 11:26 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
just a quick non-update since I'm trying to figure both cause and fix in this moment (not easy due to the complexity of the bf design and code).

as imagined, also Battlefield 2142 is vulnerable and, although I have not tested it, bf1942 is probably bugged too.

anyway the cause is still unclear because as already said the design of bf sux, the only thing I can see for the moment is that the main loop (the one with select() set to 3 seconds) works correctly so the problem could be in one of the internal functions but I doubt since I'm excluding them and the only hypothesis is that the loop is in a thread... anyway it's still a work-in-progress.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 13:55 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
in attachment there is the first solution I have found and which works universally on bf1942, bf2 and bf2142.
obviously now are needed beta testers for testing it, so report here any problem

then it's possible that it works with the linux server too but I have not tried since I don't have linux executables of the dedicated server now and then I want to wait the final feedback.

*edit* removed old version


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 20:56 

Joined: 26 Apr 2008 21:50
Posts: 27
Testing it right now! :)


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 21:26 

Joined: 26 Apr 2008 21:50
Posts: 27
Great! I really liked the patcher utility, going to get it on production on an empty server, 209.44.97.172 , try it


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 21:58 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
just for curiosity (I don't touch stuff with is not mine but this is a particular case) I tried it and the server seemed to freeze but is possible that it was the one-player protection you said in the previous post.
can you confirm it?


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 22:17 

Joined: 26 Apr 2008 21:50
Posts: 27
Bizarre, it doesnt seem to crash when the server is empty. Maybe because mine is connected and it self-count for one slot, can you share your fake player bug modification?

EDIT: I'm connected right now on the server


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 22:38 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
now I have tried the PoC various times and your server never timed out

*update*: suddenly while I was testing my local server it crashed due to a null pointer... mah strange


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 22:57 

Joined: 26 Apr 2008 21:50
Posts: 27
I've just found a new bug by doing another mistake in the cdkey packet, which is not related to this one. This seem to be a null pointer (memory cannot be read at 0x00000000), and it crashed the bf2 server again... Obviously this game is not build with security in mind. More info to come in a new thread.

EDIT: maybe the same thing? mine is hanging at 0x006195ff
EDIT2: Finally I think it is related to the same exploit, after checking up the bf2sniff log


Last edited by Francis on 25 Jun 2009 23:00, edited 2 times in total.

Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 22:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
update: the work-around is not ok or incomplete.
the null pointer (006195ff) happens when a real client leaves the server and the server is tested with the proof-of-concept so everything must be redone... uff

*edit* and the null pointer happens also if instead of skipping the jmp I return 8 instead of 9 (returning 8 is not a bad solution although less "universally applicable")


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 23:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
good news, I have fixed that null pointer and the server no longer has this problem.
now I'm checking if I can find a better way to fix the null pointer because the current one can't be applied easily to any version


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 25 Jun 2009 23:47 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ok, let's go with version 0.2 of the work-around.
it's necessary to put more players in the server and testing it with the proof-of-concept before, during and after each player enter/leave the server.


Attachments:
File comment: beta version 0.2
bfloopfix.lpatch [3.19 KiB]
Downloaded 386 times
Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 26 Jun 2009 11:24 

Joined: 26 Apr 2008 21:50
Posts: 27
I have tested it, and it doesnt seem to crash so far, but I'm going to test it out in production today :)


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 29 Jun 2009 20:45 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
news?


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 30 Jun 2009 04:32 

Joined: 26 Apr 2008 21:50
Posts: 27
Yes, it seem to work pretty well, actually there is 56 peoples connected and it doesnt seem to crash. Can you confirm by trying to hang it out?


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 30 Jun 2009 09:50 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
tested and retested and it doesn't go down.
so I have released the patch publicly: http://aluigi.org/patches.htm#battlefield


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 09 Sep 2009 11:32 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
@Francis:
are there news about an "official" bf2142 patch?
because bf2 has been fixed one week ago with patch 1.50 but bf2142 (latest version is 1.50 aka 1.10.48) is still vulnerable as I reported and I see no plans from EA/Dice for an official fix.
are they sleeping or just don't care?


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 03 Jun 2010 21:16 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
ops I forgot to update this thread... well it passed "only" one year :)
no reply from Francis or details from EA, mah

the following is the PoC I wrote one year ago to test the bug found by Francis:
http://aluigi.org/poc/bf2loop.zip

resuming, the vulnerable BF versions are:
Battlefield 2 <= 1.41 (showed as 1.1.2965-797), so the official 1.50 is safe
Battlefield 2142 <= 1.50 (showed as 1.10.48.0)

and the following is my fix (exactly the same of one year ago, untouched):
http://aluigi.org/patches/bfloopfix.lpatch

Battlefield 1942 *seems* not vulnerable.

I have released no advisory because the bug has not been found by me, so this thread (and the PoC) is the only info and reference about this vulnerability.
that's also the reason why the proof-of-concept has not "seen the light" till today which, as anyone knows, is unusual for me and not my policy (I don't have a delay time between the finding of the bug and the public release of its informations).


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 05 Jun 2010 03:15 

Joined: 16 Aug 2007 06:25
Posts: 367
Looks like the latest version (1.5.3153-802.0) is still vulnerable. Running the PoC crashes the server.


Top
 Profile  
 
 Post subject: Re: Battlefield 2 Crash
PostPosted: 05 Jun 2010 06:19 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
uhmm here I have that bf2 server version and instead it's fixed as expected.
are you sure to have tested that bf2 version?
was it a dedicated server (like in my tests) or a non-dedicated one?


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 45 posts ]  Go to page 1, 2  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
cron