#######################################################################

                             Luigi Auriemma

Application:  BFCommand & Control Server Manager
              http://www.bfcommandcontrol.org
Versions:     BFCC  <= 1.22_A
              BFVCC <= 2.14_B
              BFVCCDaemon is NOT vulnerable
Platforms:    Windows
Bugs:         A] full anonymous login bypass
              B] login bypass through NULL username
              C] invulnerable clients and full privileges
              D] server full after consecutive connections
Exploitation: remote
Date:         29 Aug 2005
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


BFCommand & Control Server Manager is a server manager available for
the games Battlefield 1942 (with the name BFCC), Battlefield Vietnam
(BFVCC) and Battlefield 2 (BF2CC).

The difference between these server managers and the others available
on Internet is that BFVCC is also directly included in the CD of
Battlefield Vietnam so it's used on many servers.
I have made a quick search on Internet and I have found that over the
20% of public Battlefield Vietnam servers uses one of the vulnerable
versions of BFVCC on standard ports which, through these
vulnerabilities, means full access to the management of these game
servers and to other possible sensitive informations like the POP3
password of the admin.

BFVCCDaemon is not vulnerable because it uses another protocol and in
fact is considered a different program altogether. Then on Internet the
amount of BFV servers which use BFVCCDaemon is almost unexistent.


#######################################################################

=======
2) Bugs
=======

------------------------------
A] full anonymous login bypass
------------------------------

This bug can be explained with the following words: does not exist a
login mechanism.
In fact the "login" command is totally useless because anyone can
connect to the server manager and take its control with full "Super
Admin" privileges.
The most interesting thing is that without logging into the server the
attacker doesn't exist: the logs don't report his operations (except
for a couple of commands if used) and for the server there are no
people connected in that moment.
Really a good way for controlling the server like a ghost and with the
maximum relax and power.


-------------------------------------
B] login bypass through NULL username
-------------------------------------

The "login" command naturally is composed by an username and a password
but the cool thing is that a NULL byte (0x00) in the username field will
bypass the authentication and the server will grant the access to the
attacker:

    "login" "\x1e"      // command
    "\0"    "\x1e"      // username (NULL byte)
    "none"  "\x1e"      // password
    "none"  "\x1e"      // username
    ""      "\x1e"      // ???
    ""                  // ???
    "\x00\x40\x40\x00"  // command delimiter


-------------------------------------------
C] invulnerable clients and full privileges
-------------------------------------------

The admins (and moreover the local admin) have the ability of booting
the other remote admins.
The command "Boot" and any other command which has effect on the
clients are totally useless since the server continues to keep the
connection established and any operation or disconnection is made by
the client not the server.
In short a modified client (for example placing a NULL byte where is
located the unicode command Boot in the executable) cannot be booted.
Then each admin can be limited in what he can do or not by setting some
permissions in the "User Profiles" section.
Just like for the Boot command also the permissions are client-side so
an admin with a very restricted power can take the full control of the
server manager.


--------------------------------------------
D] server full after consecutive connections
--------------------------------------------

A sort of "fake players" attack with the difference that here after 20
consecutive connections (just a simple connect and disconnect) the
server becomes full forever.
In short if the client doesn't send the "login" command the server
considers the connection in an idle state and when is reached the limit
of 20 connections (although the connections and the sockets have been
closed!) it becomes full and nobody can use the server manager from
remote.
Naturally also this attack is not showed in the logs.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/poc/bfccown.zip


#######################################################################

======
4) Fix
======


No fix.
No reply from the developers.

I suggest to the users of BFVCC to use BFVCCDaemon which is not
vulnerable.


#######################################################################


--- 
Luigi Auriemma 
http://aluigi.altervista.org