####################################################################### Luigi Auriemma Application: Dropteam http://www.battlefront.com/products/dropteam/news.html Versions: <= 1.3.3 Platforms: Windows, Linux and Mac Bugs: A] format string through packet 0x01 B] buffer-overflow through packet 0x5c C] heap-overflow through packet 0x18 D] various memory crash through packet 0x4b E] account password sent to server Exploitation: remote, versus server Date: 05 Oct 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Dropteam is a tactical war game developed by Battlefront (http://www.battlefront.com). ####################################################################### ======= 2) Bugs ======= ------------------------------------ A] format string through packet 0x01 ------------------------------------ Various format string vulnerabilities can be exploited through the packet 0x01, where the account username, the account password and the nickname passed by the client are used directly as format argument of sprintf(). Note that the output strings will be showed in the reply packet sent by the server, so an attacker can tune his exploit for the maximum percentage of success if necessary. -------------------------------------- B] buffer-overflow through packet 0x5c -------------------------------------- A buffer-overflow is exploitable through packet 0x5c, where a stack buffer is filled with the various data supplied by the client without the proper checks. ------------------------------------ C] heap-overflow through packet 0x18 ------------------------------------ Here we have a heap buffer of 16 kilobytes where the program stores a max amount of 131070 (16 bit << 1) numbers of 32 bit supplied by the attacker. ------------------------------------------- D] various memory crash through packet 0x4b ------------------------------------------- Another heap-overflow vulnerability is exploited during the handling of the 0x4b packet, composed by max 255 strings with a size of max 65535 bytes each one. ---------------------------------- E] account password sent to server ---------------------------------- For playing with Dropteam online is necessary to register an account using a valid product key of the bought game. The packet used by the client for joining the server is composed by the following fields: account username, account password, game version and nickname. The problem is just in the account credentials which are transmitted to the server in which the client wants to join allowing any server's admin (anyone can set up a server) to collect and use these accounts. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/dropteamz.zip ####################################################################### ====== 4) Fix ====== The bugs will be probably fixed in the next patch. ####################################################################### --- Luigi Auriemma http://aluigi.org http://forum.aluigi.org http://mirror.aluigi.org