#######################################################################
Luigi Auriemma
Application: Dropteam
http://www.battlefront.com/products/dropteam/news.html
Versions: <= 1.3.3
Platforms: Windows, Linux and Mac
Bugs: A] format string through packet 0x01
B] buffer-overflow through packet 0x5c
C] heap-overflow through packet 0x18
D] various memory crash through packet 0x4b
E] account password sent to server
Exploitation: remote, versus server
Date: 05 Oct 2007
Author: Luigi Auriemma
e-mail: aluigi (at) autistici (dot) org [email concealed]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Dropteam is a tactical war game developed by Battlefront
(http://www.battlefront.com).
#######################################################################
=======
2) Bugs
=======
------------------------------------
A] format string through packet 0x01
------------------------------------
Various format string vulnerabilities can be exploited through the
packet 0x01, where the account username, the account password and the
nickname passed by the client are used directly as format argument of
sprintf().
Note that the output strings will be showed in the reply packet sent by
the server, so an attacker can tune his exploit for the maximum
percentage of success if necessary.
--------------------------------------
B] buffer-overflow through packet 0x5c
--------------------------------------
A buffer-overflow is exploitable through packet 0x5c, where a stack
buffer is filled with the various data supplied by the client without
the proper checks.
------------------------------------
C] heap-overflow through packet 0x18
------------------------------------
Here we have a heap buffer of 16 kilobytes where the program stores a
max amount of 131070 (16 bit << 1) numbers of 32 bit supplied by the
attacker.
-------------------------------------------
D] various memory crash through packet 0x4b
-------------------------------------------
Another heap-overflow vulnerability is exploited during the handling of
the 0x4b packet, composed by max 255 strings with a size of max 65535
bytes each one.
----------------------------------
E] account password sent to server
----------------------------------
For playing with Dropteam online is necessary to register an account
using a valid product key of the bought game.
The packet used by the client for joining the server is composed by the
following fields: account username, account password, game version and
nickname.
The problem is just in the account credentials which are transmitted to
the server in which the client wants to join allowing any server's
admin (anyone can set up a server) to collect and use these accounts.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/dropteamz.zip
#######################################################################
======
4) Fix
======
The bugs will be probably fixed in the next patch.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org