Luigi Auriemma

I saw this link in #milw0rm and tested in quake 4, it worked.

http://pastebin.com/f2a5971db

really very interesting.
I tried to send a PB_Y packet to my ET 2.60b test server (with PB NOT update, v1.285) and yes was possible to execute any command (rconpassword asdf, quit, any) but after the pb_sv_update the YPG server is misteriously vanished because the 0x59 type seems no longer handled.

anyway I have some doubts when you say to have seen it on milw0rm, because in the moment I'm writing there is no trace in all internet (included milw0rm) of this vulnerability.

*EDIT*: post6011.html#p6011

any chance to do that in q3? If not very great :)

if you don't have perl or don't know how to build the packet for making the test you can just use pbmsgs: http://aluigi.org/papers.htm#pbmsgs

pbmsgs 127.0.0.1 27960 " \"\" CMD \"quit\""

well, I have just finished to exchange some mails with EvenBalance about this matter but they don't want that I quote some of the content of the mails so I will explain everything with my own words which are more clear:

the YPG server was a special function that PunkBuster added by request of an hosting company and its job was granting password-less rcon access to the Return to Castle Wolfenstein game servers owned by this company.
practically this version of the PunkBuster server was created only for this company, something like a private version to be used in its LAN parties.

anyway due to a programming mistake (EvenBalance refers to a #define, so something like a "#define YPG" left uncommented in the code) this and probably some other specific functions remained active also in the public release which is then being used in all the games which are supported by PunkBuster.

so this should solve all the doubts about the faults of EvenBalance.

obviously on the other side the effects are devastating because due to this distraction error that simple feature has gained the power of a backdoor so anyone aware of it was able to execute anonymous and spoofed rcon commands on any game server with PunkBuster enabled.

searching on the PunkBuster website the only reference about RTCW and the "YPG" acronym seems to be a certain YouPlayGames company which had a contract with both id software and EvenBalance just about this game:
http://www.evenbalance.com/index.php?pa ... unce03.php (Tuesday March 4th, 2003)
http://www.idsoftware.com/business/pres ... 0304120000
http://web.archive.org/web/200310091023 ... /News.aspx

YouPlayGames started at the beginning of 2003 and was closed in February 2004 (http://www.digismack.net/resume.php) so doing some calculations we can say that the PB_Y packet has been active from the 2003 till October 2007 (over 4 years), date in which the function slowly started to be removed from the games.
in the moment I'm writing Doom 3 and Quake 4 are the only games still in danger but EvenBalance will remove the function today.