#######################################################################

                             Luigi Auriemma

Application:  Soldat
              http://www.soldat.pl
Versions:     game <= 1.4.2 and dedicated server <= 2.6.2
Platforms:    Windows (Linux not affected)
Bugs:         A] clients crash caused by too long strings on the screen
              B] denial of service through file transfer port
              C] easy IP banning
Exploitation: remote
              A] versus clients
              B] versus server (Windows only)
              C] versus specific clients
Date:         23 Aug 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Soldat is a small and cool 2D multiplayer game with tons of players and
servers around the world.


#######################################################################

=======
2) Bugs
=======


First a short introduction about the types of servers available in the
game:

- game server / non-dedicated server: a player runs Soldat.exe, starts
  the server and plays in it automatically (player is both client and
  server at the same time)
- game dedicated server: Soldat.exe -dedicated, as above but the player
  cannot play, he will only see a graphical interface for handling the
  server
- dedicated server: this is referred to the stand-alone dedicated
  server (uses a version number different than the game) which is
  available for both Windows and Linux and runs in console


---------------------------------------------------------
A] clients crash caused by too long strings on the screen
---------------------------------------------------------

The messages visualized on the screen of the clients can't be longer
than about 512 bytes otherwise a crash will occurr.
An attacker can exploit this problem in at least two ways:

- if the server is non-dedicated he can simply send this long string
  with a line feed at the end to the file transfer port (default
  23083), the server will crash immediately

- if the server is dedicated the attacker can send the long string as
  an in-game chat message and any player in it will crash like in the
  previous example

Doesn't seem possible to use this bug for executing malicious code.


-----------------------------------------------
B] denial of service through file transfer port
-----------------------------------------------

The file transfer port (default 23083 or client port plus 10) supports
input strings of max 16384 bytes (life feed included) and can be a
problem for both the dedicated and non-dedicated Windows server:

- the dedicated server runs in a classical console, which means that an
  attacker can use some chars (like 0x07) for "beeping" and freezing
  the Windows console due to the visualization of the requested map on
  the screen, during the attack the players in the server cannot play
  and the server is a hell of beeps and slowness

- the game dedicated server (Soldat.exe -dedicated) suffers of a
  similar effect too since it will become very slow to use and to play
  on it


------------------
C] easy IP banning
------------------

this is a problem affecting Soldat from long time, in fact the bug is
just in the lack of a real check on the players which join the server,
in short it's enough one single UDP packet for being inside it.
While in the past the banning happened with malformed packets (I wrote
a PoC for it), in the recent versions is possible to exploit this
problem sending multiple join packets causing a banning of 20 minutes
for the source IP address.
So if an attacker can spoof his packets he could ban one or more IP
addresses on a specific server.
In my opinion this is not a so great problem, I have reported it here
only for thoroughness.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/soldatdos.zip


#######################################################################

======
4) Fix
======


No fix.
I'm in contact with the developer from over two weeks but unfortunately
I'm not able to explain these bugs better than how I have done here...


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org