Soldier of Fortune II format string through PunkBuster 1.180

2006.02.17
Risk: High
Local: No
Remote: Yes
CWE: CWE-134


CVSS Base Score: 6.4/10
Impact Subscore: 4.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: Partial

####################################################################### Luigi Auriemma Application: Soldier of Fortune II with PunkBuster enabled http://www.ravensoft.com/soldier2.html http://www.PunkBuster.com Versions: PB for server <= 1.180 Platforms: Windows, Linux and Mac Bug: format string Exploitation: remote, versus server (in-game) Date: 16 Feb 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== PunkBuster is a loved/hated anti-cheat system developed by Even Balance (http://www.evenbalance.com) and officially used in many diffused games like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3 and almost all the games based on the Quake 3 engine. Although the bug I have found has been exploited only in Soldier of Fortune II I cannot exclude other games which I have not tested personally (no reply from the vendor). ####################################################################### ====== 2) Bug ====== The PunkBuster server module supports the automatic kick and ban of the players which use invalid cvars, for example with values outside the range specified by the server. When this situation occurs PB kicks the client using the game's functions (like a clientkick command). The message sent to the client contains both the name of the monitored cvar and its value on the client, the resulted string is identified as "reason". The problem is that naturally Soldier of Fortune II makes no checks on the "reason" parameter (watch trap_DropClient) which is passed by PB or by the server admin for kicking a player, so the subsequent sprintf() call is vulnerable to a format string attack. Normally there is no way to exploit this bug if you are not the server administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the way which allows any player inside the server to crash or possibly take the control of the remote system. ####################################################################### =========== 3) The Code =========== - launch a client - join a server (naturally with PunkBuster enabled) - type /pb_cvarlist - choose one of the monitored cvars like "snaps" for example - type: /set CVAR %n%n%n%n%n%n example: /set snaps %n%n%n%n%n%n - the server will crash after some second during the kicking of the client ####################################################################### ====== 4) Fix ====== Evenbalance has silently fixed the bug after my report but I have received no reply and there are no details on the PunkBuster website about this bug or what has been exactly patched. In the same day have been released also updated PB servers for other games. No comment... ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top