Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12805
HistoryMay 25, 2006 - 12:00 a.m.

Buffer-overflow in the WebTool service of PunkBuster for servers (minor than v1.229)

2006-05-2500:00:00
vulners.com
12
JSON

#######################################################################

                         Luigi Auriemma

Application: PunkBuster
http://www.punkbuster.com
Versions: PunkBuster for servers, versions minor than v1.229:
America's Army <= v1.228
Battlefield 1942 <= v1.158
Battlefield 2 <= v1.184
Battlefield Vietnam <= v1.150
Call of Duty <= v1.173
Call of Duty 2 <= v1.108
DOOM 3 <= v1.159
Enemy Territory <= v1.167
Far Cry <= v1.150
F.E.A.R. <= v1.093
Joint Operations <= v1.187
Quake III Arena <= v1.150
Quake 4 <= v1.181
Rainbow Six 3: Raven Shield <= v1.169
Rainbow Six 4: Lockdown <= v1.093
Return to Castle Wolfenstein <= v1.175
Soldier of Fortune II <= v1.183
Platforms: Win32, Linux and Mac
Bug: buffer overflow in the built-in web server for the remote
server's administration (WebTool)
Exploitation: remote, versus server
Date: 23 May 2006
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

PunkBuster is the anti-cheat system developed by Even Balance
(http://www.evenbalance.com) officially used and distribuited in
almost all the most played and famous commercial multiplayer FPS games.

#######################################################################

======
2) Bug

PunkBuster contains a built-in HTTP server called WebTool for allowing
the admins to manage their game servers remotely through a normal web
browser:

http://www.evenbalance.com/publications/admins/#webtool

This web server is not enabled by default but must be activated
selecting the TCP port on which running the service using the command:
pb_sv_httpport PORT

The authentication mechanism is handled through a parameter called
webkey followed by the password and sent by the client using the POST
method or directly in the URL.

A webkey longer than 1024 bytes exploits a buffer-overflow which
happens when the program uses the memcpy function for copying the
attacker string in a limited buffer used for the comparison with the
valid service's password.

The following is the code from the pbsv.dll 1.183 of the game Soldier
of Fortune II where happens the exception which interrupts the game:


0511B3A8 8BB424 58100000 MOV ESI,DWORD PTR SS:[ESP+1058]
0511B3AF 8D4424 18 LEA EAX,DWORD PTR SS:[ESP+18]
0511B3B3 6A 41 PUSH 41
0511B3B5 50 PUSH EAX
0511B3B6 C68424 55100000 >MOV BYTE PTR SS:[ESP+1055],0
0511B3BE FF96 54010000 CALL DWORD PTR DS:[ESI+154]
0511B3C4 8BBC24 64100000 MOV EDI,DWORD PTR SS:[ESP+1064]

The ESI register is controlled by the attacker.
The memcpy function described above instead is located at offset
0512aea7.

#######################################################################

===========
3) The Code

Send the following text file to the port on which is running PunkBuster
WebTool:

http://aluigi.org/poc/pbwebbof.txt

or simply build and use a link like the following:

http://127.0.0.1:80/pbsvweb/plist=1&amp;webkey=aaaaaaaaaaaaa...1044...aaa

#######################################################################

======
4) Fix

Versions v1.229 and above.

#######################################################################

Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

JSON