Sof-PunkBuster.txt

`  
#######################################################################  
  
Luigi Auriemma  
  
Application: Soldier of Fortune II with PunkBuster enabled  
http://www.ravensoft.com/soldier2.html  
http://www.PunkBuster.com  
Versions: PB for server <= 1.180  
Platforms: Windows, Linux and Mac  
Bug: format string  
Exploitation: remote, versus server (in-game)  
Date: 16 Feb 2006  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: http://aluigi.altervista.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
PunkBuster is a loved/hated anti-cheat system developed by Even Balance  
(http://www.evenbalance.com) and officially used in many diffused games  
like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3  
and almost all the games based on the Quake 3 engine.  
  
Although the bug I have found has been exploited only in Soldier of  
Fortune II I cannot exclude other games which I have not tested  
personally (no reply from the vendor).  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
The PunkBuster server module supports the automatic kick and ban of the  
players which use invalid cvars, for example with values outside the  
range specified by the server.  
When this situation occurs PB kicks the client using the game's  
functions (like a clientkick command).  
The message sent to the client contains both the name of the monitored  
cvar and its value on the client, the resulted string is identified as  
"reason".  
  
The problem is that naturally Soldier of Fortune II makes no checks on  
the "reason" parameter (watch trap_DropClient) which is passed by PB or  
by the server admin for kicking a player, so the subsequent sprintf()  
call is vulnerable to a format string attack.  
  
Normally there is no way to exploit this bug if you are not the server  
administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the  
way which allows any player inside the server to crash or possibly take  
the control of the remote system.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
- launch a client  
- join a server (naturally with PunkBuster enabled)  
- type /pb_cvarlist  
- choose one of the monitored cvars like "snaps" for example  
- type: /set CVAR %n%n%n%n%n%n  
example: /set snaps %n%n%n%n%n%n  
- the server will crash after some second during the kicking of the  
client  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
Evenbalance has silently fixed the bug after my report but I have  
received no reply and there are no details on the PunkBuster website  
about this bug or what has been exactly patched.  
In the same day have been released also updated PB servers for other  
games.  
No comment...  
  
  
#######################################################################  
  
  
---   
Luigi Auriemma  
http://aluigi.altervista.org  
`