####################################################################### Luigi Auriemma Application: Star Wars Battlefront http://www.lucasarts.com/games/swbattlefront/ Versions: <= 1.11 Platforms: Windows Xbox and Playstation 2 have not been tested Bugs: A] limited buffer-overflow in nickname B] crash caused by arbitrary memory access Exploitation: remote, versus server (in-game) Date: 24 November 2004 Author: Luigi Auriemma e-mail: aluigi@altervista.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Star Wars Battlefront is the newest game based on the universe of Star Wars, is developed by Pandemic Studios (http://www.pandemicstudios.com) and has been released at September 2004. This game is available also for Xbox and Playstation 2. The dedicated server for Playstation 2 runs on Windows and uses the same join protocol of the PC version, in fact I have tested it and is vulnerable. Since I'm not able to directly test also these 2 platforms I cannot confirm if they are vulnerables or not. ####################################################################### ======= 2) Bugs ======= -------------------------------------- A] limited buffer-overflow in nickname -------------------------------------- If a client uses a too big nickname causes a limited buffer-overflow in the server. "Limited" because doesn't seem possible to overwrite important memory zones and, so, to execute remote code. ------------------------------------------ B] crash caused by arbitrary memory access ------------------------------------------ Exists a strange field in the join request used by this game. This field is a 32 bits value that must contain a memory offset used to build the following debug message: "player %s had crash at 0x%x\n" where %s is just the memory address specified by the client. The effect, naturally, is that an attacker can force the server to read an unreacheable memory location causing its immediate crash. I have no idea about why has been used a so stupid and dangerous method. Note: this bug doesn't seem to affect the Playstation 2 dedicatd server. Both these bugs must be considered in-game bugs (traduced: if the server is protected with a password, the attacker must know it), simply because the password field (a 32 bits checksum) is controlled before the other informations so the packet is rejected if the password provided by the attacker is wrong. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/fakep/swbfp.zip A] swbfp -s 100 localhost sends a nickname of 100 chars to the server B] swbfp -m 1234 localhost forces the server to read the data at offset 1234 (0x000004d2) ####################################################################### ====== 4) Fix ====== No fix. My first mail is dated 26 Oct 2004, the developers said to work on the fixing of the bugs but after all this time and after the release of 2 normal patches (so, not for these bugs) the situation is unknown... useless to ask the status of the patch to Pandemic, my latest two "keep-alive" mails have been completely ignored. ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org