Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLuigi AuriemmaPACKETSTORM:79187
HistoryJul 14, 2009 - 12:00 a.m.

America's Army 3 Null Pointer

2009-07-1400:00:00
Luigi Auriemma
packetstormsecurity.com
13
JSON
`#######################################################################  
  
Luigi Auriemma  
  
Application: America's Army 3  
http://www.americasarmy.com/aa3.php  
Versions: <= 3.0.4  
Platforms: Windows  
Bug: NULL pointer  
Exploitation: remote, versus server  
Date: 06 Jul 2009  
Author: Luigi Auriemma  
e-mail: [email protected]  
web: aluigi.org  
  
  
#######################################################################  
  
  
1) Introduction  
2) Bug  
3) The Code  
4) Fix  
  
  
#######################################################################  
  
===============  
1) Introduction  
===============  
  
  
America's Army 3 (AA3) is the new free game of the AA series developed  
for the U.S. Army as an help with the military recruitments.  
Released about 20 days ago it's already played by thousands of players  
and with more than 400 online servers  
(http://login.aa3.americasarmy.com/servers).  
  
  
#######################################################################  
  
======  
2) Bug  
======  
  
  
Differently than the older version AA3 has introduced a new proprietary  
type of query used for retrieving informations from the servers.  
The reply received from the servers is compressed and contains many  
informations (included the IP addresses of the clients... mah).  
  
The job of parsing such query is performed by the acpu_decompile  
function in libaa3.dll which returns a pointer to a new allocated  
structure which is then used internally by the game.  
  
Using an invalid type of query (for example one which doesn't start  
with the 0x6fe1 value) is possible to force this function to fail with  
the result of returing a NULL pointer instead of the pointer to the new  
data and with the consequence of the crash of the entire server due to  
the lack of checks.  
  
Only one single UDP packet is needed to exploit the vulnerability so  
without limitations and with the possibility for the attacker of  
spoofing the own IP address.  
  
  
#######################################################################  
  
===========  
3) The Code  
===========  
  
  
echo blah | nc SERVER 39300 -v -v -u  
  
note: instead the LAN servers use port 9002  
  
  
#######################################################################  
  
======  
4) Fix  
======  
  
  
No fix.  
  
I have released an unofficial fix for the latest known server's version  
available in the moment I'm writing:  
  
http://aluigi.org/patches/aa3blahfix.lpatch  
  
  
#######################################################################  
  
`
JSON