Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17888
HistoryAug 25, 2007 - 12:00 a.m.

Multiple denial of service in Soldat 1.4.2/2.6.2

2007-08-2500:00:00
vulners.com
14

#######################################################################

                         Luigi Auriemma

Application: Soldat
http://www.soldat.pl
Versions: game <= 1.4.2 and dedicated server <= 2.6.2
Platforms: Windows (Linux not affected)
Bugs: A] clients crash caused by too long strings on the screen
B] denial of service through file transfer port
C] easy IP banning
Exploitation: remote
A] versus clients
B] versus server (Windows only)
C] versus specific clients
Date: 23 Aug 2007
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org

#######################################################################

1) Introduction
2) Bugs
3) The Code
4) Fix

#######################################################################

===============
1) Introduction

Soldat is a small and cool 2D multiplayer game with tons of players and
servers around the world.

#######################################################################

=======
2) Bugs

First a short introduction about the types of servers available in the
game:

  • game server / non-dedicated server: a player runs Soldat.exe, starts
    the server and plays in it automatically (player is both client and
    server at the same time)
  • game dedicated server: Soldat.exe -dedicated, as above but the player
    cannot play, he will only see a graphical interface for handling the
    server
  • dedicated server: this is referred to the stand-alone dedicated
    server (uses a version number different than the game) which is
    available for both Windows and Linux and runs in console

A] clients crash caused by too long strings on the screen

The messages visualized on the screen of the clients can't be longer
than about 512 bytes otherwise a crash will occurr.
An attacker can exploit this problem in at least two ways:

  • if the server is non-dedicated he can simply send this long string
    with a line feed at the end to the file transfer port (default
    23083), the server will crash immediately

  • if the server is dedicated the attacker can send the long string as
    an in-game chat message and any player in it will crash like in the
    previous example

Doesn't seem possible to use this bug for executing malicious code.


B] denial of service through file transfer port

The file transfer port (default 23083 or client port plus 10) supports
input strings of max 16384 bytes (life feed included) and can be a
problem for both the dedicated and non-dedicated Windows server:

  • the dedicated server runs in a classical console, which means that an
    attacker can use some chars (like 0x07) for "beeping" and freezing
    the Windows console due to the visualization of the requested map on
    the screen, during the attack the players in the server cannot play
    and the server is a hell of beeps and slowness

  • the game dedicated server (Soldat.exe -dedicated) suffers of a
    similar effect too since it will become very slow to use and to play
    on it


C] easy IP banning

this is a problem affecting Soldat from long time, in fact the bug is
just in the lack of a real check on the players which join the server,
in short it's enough one single UDP packet for being inside it.
While in the past the banning happened with malformed packets (I wrote
a PoC for it), in the recent versions is possible to exploit this
problem sending multiple join packets causing a banning of 20 minutes
for the source IP address.
So if an attacker can spoof his packets he could ban one or more IP
addresses on a specific server.
In my opinion this is not a so great problem, I have reported it here
only for thoroughness.

#######################################################################

===========
3) The Code

http://aluigi.org/poc/soldatdos.zip

#######################################################################

======
4) Fix

No fix.
I'm in contact with the developer from over two weeks but unfortunately
I'm not able to explain these bugs better than how I have done here…

#######################################################################


Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org