aaboompb.txt

aaboompb.txt: Posted Oct 2, 2007; Authored by Luigi Auriemma | Site aluigi.org; America's Army and America's Army Special Forces versions 2.8.2 and below suffer from an unexploitable buffer overflow.; tags | advisory, overflow; SHA-256 | 93f589c8649020d44c1851760c501198c88aa465a8b5433b3a8af7f8504842eb; Download | Favorite | View

aaboompb.txt


#######################################################################

                             Luigi Auriemma

Application:  America's Army and America's Army Special Forces
              http://www.americasarmy.com
Versions:     <= 2.8.2
Platforms:    Windows, Linux and Mac
Bugs:         unexploitable buffer-overflow in the logging function
Exploitation: remote, versus servers with Punkbuster enabled
Date:         01 Oct 2007
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


America's Army is a realistic FPS game based and developed just by the
the U.S. Army (http://www.goarmy.com).


#######################################################################

======
2) Bug
======


This bug is the same reported here:

  http://aluigi.org/adv/unrwebdos-adv.txt

What changes now is the possibility of exploiting it also in this
specific game (since it doesn't support or doesn't seem to support the
web service used as way for exploiting the bug in that advisory) and
anonymously from outside the server with a single UDP packet.

The only requirement is the running of Punkbuster on the server while
for exploiting the vulnerability will be used the PB_Y (YPG server) or
the PB_U (UCON) packets with a content of about 1024 bytes.

Exists also another minor problem which can be exploited only versus
the Windows dedicated server (ever with Punkbuster enabled) since the
chars printed on the console are not filtered so using invalid chars or
0x07 (the bell) can cause the freezing of the entire server.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/aaboompb.zip


#######################################################################

======
4) Fix
======


No fix.
The bug is public from the 18 Aug 2007 and the developers of the engine
are aware of it from some weeks before that date.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

aaboompb.txt

aaboompb.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

aaboompb.txt

Share This

aaboompb.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems