PunkBuster pbsv.dll缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1181196 漏洞类型 缓冲区溢出
发布时间 2009-08-09 更新时间 2009-08-09
CVE编号 CVE-2009-3924 CNNVD-ID CNNVD-200911-121
漏洞平台 N/A CVSS评分 9.3
|漏洞来源
https://www.securityfocus.com/bid/43150
https://cxsecurity.com/issue/WLB-2009110065
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200911-121
|漏洞详情
PunkBuster(流氓惩戒者)简称PB,是由EvenBalance公司开发的一款游戏反作弊系统。PunkBusterpbsv.dll存在缓冲区溢出漏洞。由于pbsv.dll存在越界错误,远程攻击者可以借助一个包含超长字符串的重启信息包以触发缓冲区溢出,导致拒绝服务(应用程序崩溃)和执行任意代码。
|漏洞EXP
###########

                             Luigi Auriemma

Application:  Soldier of Fortune II with PunkBuster enabled
              http://www.ravensoft.com/soldier2.html
              http://www.PunkBuster.com
Versions:     PunkBuster for server <= 1.728
Platforms:    Windows, Linux and Mac
Bug:          buffer-overflow
Exploitation: remote, versus server (in-game)
Date:         09 Aug 2009
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix

############################################################

===============
1) Introduction
===============


PunkBuster is a loved/hated anti-cheat system developed by Even Balance
(http://www.evenbalance.com) and officially used in many diffused games
like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3
and almost all the games based on the Quake 3 engine.

Soldier of Fortune II is a widely played FPS game developed by Raven
Software (http://www.ravensoft.com) and published by Activision
(http://www.activision.com).
Although it has been released at May 2002 it's still very played (about
500 servers online of which half with Punkbuster enabled).

###########

======
2) Bug
======


A specific (logging?) function in pbsv.dll of sof2 uses sprintf with a
buffer of 4 kilobytes for generating the log string:

  sprintf(
    buffer,
    "%s: %s",
    "^3PunkBuster Server",
    string);  

Through a particular in-game packet of Punkbuster (called "restart
packet") it's possible for an attacker to exploit the buffer-overflow
derived from the previous function where "string" will have a value
like "Invalid Restart Packet: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...AAAA".
In my tests this one was the only way for exploiting the vulnerability.

The bug is in-game so the attacker needs to join the server with the
client-side Punkbuster enabled (pb_cl_enable), but it's not necessary
to have a the PB service active because the bug is exploited
immediately before the various checks.


###########

===========
3) The Code
===========


http://aluigi.org/mytoolz/proxocket.zip
http://aluigi.org/poc/sof2pbbof.zip

- copy ws2_32.dll and myproxocket.dll in the folder of the game
- launch the client
- enable punkbuster (pb_cl_enable)
- join the server (it must support punkbuster)
- the server will crash immediately when the player joins the server
  after having loaded the map

###########

======
4) Fix
======


No fix.

###########
|受影响的产品
Raven Software Soldier Of Fortune 2 0
|参考资料

来源:MISC
链接:http://aluigi.org/poc/sof2pbbof.zip
来源:XF
名称:punkbuster-pbsv-bo(52400)
链接:http://xforce.iss.net/xforce/xfdb/52400
来源:SECUNIA
名称:36221
链接:http://secunia.com/advisories/36221
来源:MISC
链接:http://aluigi.altervista.org/adv/sof2pbbof-adv.txt