Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11486
HistoryFeb 17, 2006 - 12:00 a.m.

[Full-disclosure] Soldier of Fortune II format string through PunkBuster 1.180

2006-02-1700:00:00
vulners.com
21
JSON

#######################################################################

                         Luigi Auriemma

Application: Soldier of Fortune II with PunkBuster enabled
http://www.ravensoft.com/soldier2.html
http://www.PunkBuster.com
Versions: PB for server <= 1.180
Platforms: Windows, Linux and Mac
Bug: format string
Exploitation: remote, versus server (in-game)
Date: 16 Feb 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

PunkBuster is a loved/hated anti-cheat system developed by Even Balance
(http://www.evenbalance.com) and officially used in many diffused games
like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3
and almost all the games based on the Quake 3 engine.

Although the bug I have found has been exploited only in Soldier of
Fortune II I cannot exclude other games which I have not tested
personally (no reply from the vendor).

#######################################################################

======
2) Bug

The PunkBuster server module supports the automatic kick and ban of the
players which use invalid cvars, for example with values outside the
range specified by the server.
When this situation occurs PB kicks the client using the game's
functions (like a clientkick command).
The message sent to the client contains both the name of the monitored
cvar and its value on the client, the resulted string is identified as
"reason".

The problem is that naturally Soldier of Fortune II makes no checks on
the "reason" parameter (watch trap_DropClient) which is passed by PB or
by the server admin for kicking a player, so the subsequent sprintf()
call is vulnerable to a format string attack.

Normally there is no way to exploit this bug if you are not the server
administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the
way which allows any player inside the server to crash or possibly take
the control of the remote system.

#######################################################################

===========
3) The Code

  • launch a client
  • join a server (naturally with PunkBuster enabled)
  • type /pb_cvarlist
  • choose one of the monitored cvars like "snaps" for example
  • type: /set CVAR %n%n%n%n%n%n
    example: /set snaps %n%n%n%n%n%n
  • the server will crash after some second during the kicking of the
    client

#######################################################################

======
4) Fix

Evenbalance has silently fixed the bug after my report but I have
received no reply and there are no details on the PunkBuster website
about this bug or what has been exactly patched.
In the same day have been released also updated PB servers for other
games.
No comment…

#######################################################################

Luigi Auriemma
http://aluigi.altervista.org

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON