Soldier of Fortune II with PunkBuster enabled

2009.11.11
Credit: Luigi Auriemma
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-3924
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

########### Luigi Auriemma Application: Soldier of Fortune II with PunkBuster enabled http://www.ravensoft.com/soldier2.html http://www.PunkBuster.com Versions: PunkBuster for server <= 1.728 Platforms: Windows, Linux and Mac Bug: buffer-overflow Exploitation: remote, versus server (in-game) Date: 09 Aug 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ############################################################ =============== 1) Introduction =============== PunkBuster is a loved/hated anti-cheat system developed by Even Balance (http://www.evenbalance.com) and officially used in many diffused games like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3 and almost all the games based on the Quake 3 engine. Soldier of Fortune II is a widely played FPS game developed by Raven Software (http://www.ravensoft.com) and published by Activision (http://www.activision.com). Although it has been released at May 2002 it's still very played (about 500 servers online of which half with Punkbuster enabled). ########### ====== 2) Bug ====== A specific (logging?) function in pbsv.dll of sof2 uses sprintf with a buffer of 4 kilobytes for generating the log string: sprintf( buffer, "%s: %s", "^3PunkBuster Server", string); Through a particular in-game packet of Punkbuster (called "restart packet") it's possible for an attacker to exploit the buffer-overflow derived from the previous function where "string" will have a value like "Invalid Restart Packet: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAA". In my tests this one was the only way for exploiting the vulnerability. The bug is in-game so the attacker needs to join the server with the client-side Punkbuster enabled (pb_cl_enable), but it's not necessary to have a the PB service active because the bug is exploited immediately before the various checks. ########### =========== 3) The Code =========== http://aluigi.org/mytoolz/proxocket.zip http://aluigi.org/poc/sof2pbbof.zip - copy ws2_32.dll and myproxocket.dll in the folder of the game - launch the client - enable punkbuster (pb_cl_enable) - join the server (it must support punkbuster) - the server will crash immediately when the player joins the server after having loaded the map ########### ====== 4) Fix ====== No fix. ###########

References:

http://aluigi.org/poc/sof2pbbof.zip
http://xforce.iss.net/xforce/xfdb/52400
http://secunia.com/advisories/36221
http://aluigi.altervista.org/adv/sof2pbbof-adv.txt


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top