Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 11:58

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
 Post subject: America's Army 3 new and old vulnerabilities
PostPosted: 12 Jul 2009 23:39 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
well if this is the beginning I don't want to imagine how will be the future of this game.
I'm talking about America's Army 3 released less than one month ago and of which I can affirm that from a security point of view it's a disaster.

in the moment I'm writing AA3 3.0.4 is affected by at leat 4 vulnerabilities, of which one is still a work-in-progress:
- http://aluigi.org/adv/aa3blah-adv.txt
- http://aluigi.org/adv/ut3sticle-adv.txt
- http://aluigi.org/adv/ut3mendo-adv.txt
- the JOINSPLIT bug

I have found the first one just some days ago.
the other 2 are the famous vulnerabilities which I found in the Unreal 3 engine in the 2008 and are magically still here in this new game.

at the moment I have unofficially fixed the first 2 while the third is a complete chaos so forget a quick fix.

now about this fourth vulnerability, it's related to the senseless JOINSPLIT command which practically allows one single client to occupy all the slots of the server it wants.
so, yes, it's enough to remove this command to avoid the bug (I will release the work-around when I will release the advisory).

the cause is still not much clear anyway the following is the proof-of-concept for testing it and if someone has an own internet server let me know the result of the test:
Code:
unrealfp -1 -x 7 -s JOINSPLIT 1 100 -l "ui_bink_master?Name=player?team=0?Face=0" 127.0.0.1 8777


Top
 Profile  
 
 
 Post subject: Re: America's Army 3 new and old vulnerabilities
PostPosted: 13 Jul 2009 23:23 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
have been just released the version 3.0.5 of AA3.
this new version fixes only the first bug listed before so all the other 3 are still there.
I have also released the advisory for the forth bug but there is no fix because the problem looks more complex than what I thought:

http://aluigi.org/adv/aa3boh-adv.txt


Top
 Profile  
 
 Post subject: Re: America's Army 3 new and old vulnerabilities
PostPosted: 14 Jul 2009 20:01 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
new vulnerability, also interesting to read in my opinion:
http://aluigi.org/adv/aa3mah-adv.txt


Top
 Profile  
 
 Post subject: Re: America's Army 3 new and old vulnerabilities
PostPosted: 14 Jul 2009 23:55 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
found other 2 new vulnerabilities:
http://aluigi.org/adv/aa3pwood-adv.txt


Top
 Profile  
 
 Post subject: Re: America's Army 3 new and old vulnerabilities
PostPosted: 15 Jul 2009 14:46 

Joined: 22 Mar 2009 06:59
Posts: 5
Aluigi, to add to your exploits, I believe because the aa3 query protocol payload is so large (and the request so tiny), and that the protocol does not use a challenge/response algorithm to verify/mitigate against spoofed packet origins, you could spoof the source address of the udp query packet and use these game servers to packet flood arbitrary addresses (like UT did prior to a challenge/response algorithm being made).


Top
 Profile  
 
 Post subject: Re: America's Army 3 new and old vulnerabilities
PostPosted: 15 Jul 2009 17:34 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
just released another new advisory, this time involving the handling of the fragmented packets (ever in the usual query port 39300 which I can define the most bugged component of this game):
http://aluigi.org/adv/aa3memset-adv.txt

take a look because it's interesting and allows to understand why using signed fields should be ever avoided.

I guess that for the moment this is the last advisory because in my opinion 7 vulnerabilities all exploitable with only one single packet in a game like America's Army 3 (played by tons of people and practically the most recent game in this moment) are enough for it and for me.

the last 3 bugs I have found should be enough easy to fix so, in case of problems or if the patch 3.0.6 will not solve them, let me know and I can make a patch for them on the fly.


Top
 Profile  
 
 Post subject: Re: America's Army 3 new and old vulnerabilities
PostPosted: 13 Sep 2009 16:21 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the new 3.0.6 patch released some days ago IS still vulnerable to all the 5 bugs I have found:
http://aluigi.org/adv/aa3boh-adv.txt
http://aluigi.org/adv/aa3mah-adv.txt
http://aluigi.org/adv/aa3pwood-adv.txt [A]
http://aluigi.org/adv/aa3pwood-adv.txt [B]
http://aluigi.org/adv/aa3memset-adv.txt


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: