Unexploitable buffer-overflow in America's Army 2.8.2 through PB

#######################################################################

                             Luigi Auriemma

Application:  America's Army and America's Army Special Forces
              
http://www.americasarmy.com
Versions:     <= 2.8.2
Platforms:    Windows, Linux and Mac
Bugs:         unexploitable buffer-overflow in the logging function
Exploitation: remote, versus servers with Punkbuster enabled
Date:         01 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org

#######################################################################



1) Introduction
2) Bug

#######################################################################

1. Introduction

   ---

America's Army is a realistic FPS game based and developed just by the the U.S. Army (http://www.goarmy.com).

#######################################################################

This bug is the same reported here:

  http://aluigi.org/adv/unrwebdos-adv.txt

What changes now is the possibility of exploiting it also in this specific game (since it doesn't support or doesn't seem to support the web service used as way for exploiting the bug in that advisory) and anonymously from outside the server with a single UDP packet.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

The only requirement is the running of Punkbuster on the server while for exploiting the vulnerability will be used the PB_Y (YPG server) or the PB_U (UCON) packets with a content of about 1024 bytes.

Exists also another minor problem which can be exploited only versus the Windows dedicated server (ever with Punkbuster enabled) since the chars printed on the console are not filtered so using invalid chars or 0x07 (the bell) can cause the freezing of the entire server.

#######################################################################

http://aluigi.org/poc/aaboompb.zip

#######################################################################

No fix.
The bug is public from the 18 Aug 2007 and the developers of the engine are aware of it from some weeks before that date.

#######################################################################

---
Luigi Auriemma

http://aluigi.orghttp://forum.aluigi.orghttp://mirror.aluigi.org

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek