The BASHandSlash.com Feed

BASH Webcasts

Wednesday, June 6, 2007

ATTENTION: CoD2 Server vulnerability found (Map Vote)

If you are an online CoD2 administrator, you need to pay careful attention to this.

I recently came across a website by a prolific Internet security expert who seems to specialize in online game software. His name is Luigi Auriemma, from Milan Italy.

He runs a site dedicated to finding security flaws in games:

http://aluigi.altervista.org/

Signore Auriemma has told me that Call of Duty 2 has a software bug that can lead to an exploit (you'll know what all that means if you have been listening to the Malware series on my webcast).

Not unsurprisingly, the Internet security exploit revolves around the improper handling of user input during Call of Duty 2's map voting. All it requires is for a user to type a very large string into the callmapvote subroutine during voting.

Here is a quote from his site:

http://aluigi.altervista.org/adv/codmapbof-adv.txt
Callvote is the command used by the clients asking the server to start a voting poll for the selection of a new map, for kicking someone and so on. Voting is enabled by default on the server.

The "callvote map MAP" string is handled by a function of the server which takes the MAP parameter and copies it (memcpy) in a local buffer of 64 bytes.
Mr. Auriemma also offers a patch to fix this string handling error in the code and thus prevent any possible exploit. He also has a little test if your server is susceptible.

http://aluigi.altervista.org/patches/codmapboffix.lpatch

download the code here:

http://aluigi.altervista.org/mytoolz/lpatch.zip

Note, that any firewall your server would have would be circumvented with a vulnerability like this. This is a known bug and it might be interesting for players to ask their server administrators whether they are aware of this exploit.

The bug has been confirmed by RaDioAcTivE over on the extremecod.com forums. Here's what RaDioAcTivE said:

I helped Luigi come up with this patch. The exploit was reported to him along with the VA buffer overrun exploit and we worked with him to come up with a patch. Happy to say that both work well and it stopped our servers from being crashed.

He went out of his way to spend a couple of weeks going back and forth with me until he came up with a working patch when no one else would. At the time it was mainly for v1.0 servers since that's where the ******** were hanging out that were crashing the servers. It was mainly one group of people. We managed to get the leader of these idiots ISP yanked along with their main web site and myspace accounts.

Luigi also helped to stop a couple other exploits for UO for us as well.