Exploitalert - Database of Exploits

Soldier of Fortune II format string through PunkBuster 1.180

CVE	Category	Price	Severity
CVE-2004-1442	CWE-189	$500	High

Author	Risk	Exploitation Type	Date
str0ke	High	Remote	2006-02-24

CVSS	EPSS	EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	0.00426405	0.74

CVSS vector description

Metric	Value	Metric Description	Value Description
Attack vector	Network	AV	The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity	Low	AC	The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required	None	PR	The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction	None	UI	The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope	Unchanged	S	An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality	High	C	There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity	High	I	There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability	High	A	There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.

http://cxsecurity.com/ascii/WLB-2006020054

####################################################################### Luigi Auriemma Application: Soldier of Fortune II with PunkBuster enabled http://www.ravensoft.com/soldier2.html http://www.PunkBuster.com Versions: PB for server <= 1.180 Platforms: Windows, Linux and Mac Bug: format string Exploitation: remote, versus server (in-game) Date: 16 Feb 2006 Author: Luigi Auriemma e-mail: aluigi (at) autistici (dot) org [email concealed] web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== PunkBuster is a loved/hated anti-cheat system developed by Even Balance (http://www.evenbalance.com) and officially used in many diffused games like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3 and almost all the games based on the Quake 3 engine. Although the bug I have found has been exploited only in Soldier of Fortune II I cannot exclude other games which I have not tested personally (no reply from the vendor). ####################################################################### ====== 2) Bug ====== The PunkBuster server module supports the automatic kick and ban of the players which use invalid cvars, for example with values outside the range specified by the server. When this situation occurs PB kicks the client using the game's functions (like a clientkick command). The message sent to the client contains both the name of the monitored cvar and its value on the client, the resulted string is identified as "reason". The problem is that naturally Soldier of Fortune II makes no checks on the "reason" parameter (watch trap_DropClient) which is passed by PB or by the server admin for kicking a player, so the subsequent sprintf() call is vulnerable to a format string attack. Normally there is no way to exploit this bug if you are not the server administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the way which allows any player inside the server to crash or possibly take the control of the remote system. ####################################################################### =========== 3) The Code =========== - launch a client - join a server (naturally with PunkBuster enabled) - type /pb_cvarlist - choose one of the monitored cvars like "snaps" for example - type: /set CVAR %n%n%n%n%n%n example: /set snaps %n%n%n%n%n%n - the server will crash after some second during the kicking of the client ####################################################################### ====== 4) Fix ====== Evenbalance has silently fixed the bug after my report but I have received no reply and there are no details on the PunkBuster website about this bug or what has been exactly patched. In the same day have been released also updated PB servers for other games. No comment... ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org

Impressum