#######################################################################
Luigi Auriemma
Application: Soldier of Fortune II with PunkBuster enabled
http://www.ravensoft.com/soldier2.html
http://www.PunkBuster.com
Versions: PB for server <= 1.180
Platforms: Windows, Linux and Mac
Bug: format string
Exploitation: remote, versus server (in-game)
Date: 16 Feb 2006
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: http://aluigi.altervista.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
PunkBuster is a loved/hated anti-cheat system developed by Even Balance
(http://www.evenbalance.com) and officially used in many diffused games
like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3
and almost all the games based on the Quake 3 engine.
Although the bug I have found has been exploited only in Soldier of
Fortune II I cannot exclude other games which I have not tested
personally (no reply from the vendor).
#######################################################################
======
2) Bug
======
The PunkBuster server module supports the automatic kick and ban of the
players which use invalid cvars, for example with values outside the
range specified by the server.
When this situation occurs PB kicks the client using the game's
functions (like a clientkick command).
The message sent to the client contains both the name of the monitored
cvar and its value on the client, the resulted string is identified as
"reason".
The problem is that naturally Soldier of Fortune II makes no checks on
the "reason" parameter (watch trap_DropClient) which is passed by PB or
by the server admin for kicking a player, so the subsequent sprintf()
call is vulnerable to a format string attack.
Normally there is no way to exploit this bug if you are not the server
administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the
way which allows any player inside the server to crash or possibly take
the control of the remote system.
#######################################################################
===========
3) The Code
===========
- launch a client
- join a server (naturally with PunkBuster enabled)
- type /pb_cvarlist
- choose one of the monitored cvars like "snaps" for example
- type: /set CVAR %n%n%n%n%n%n
example: /set snaps %n%n%n%n%n%n
- the server will crash after some second during the kicking of the
client
#######################################################################
======
4) Fix
======
Evenbalance has silently fixed the bug after my report but I have
received no reply and there are no details on the PunkBuster website
about this bug or what has been exactly patched.
In the same day have been released also updated PB servers for other
games.
No comment...
#######################################################################
---
Luigi Auriemma
http://aluigi.altervista.org