####################################################################### Luigi Auriemma Application: America's Army 3 http://www.americasarmy.com/aa3.php Versions: <= 3.0.5 Platforms: Windows Bug: packets loop Exploitation: remote, versus server Date: 14 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army 3 (AA3) is the new free game of the AA series developed for the U.S. Army as an help with the military recruitments. Released about 20 days ago it's already played by thousands of players and with more than 400 online servers (http://login.aa3.americasarmy.com/servers). ####################################################################### ====== 2) Bug ====== The port 39300 (or 9002 in LAN mode) of the server is used for replying to the queries of the AA3 clients, sending them back all the informations about the status of the server and the match. If the incoming query is invalid, the server replies with a packet containing the "resultCode" "errorMessage" "failed to validate field contents" message. The problem is that this packet is sent back also to if the incoming query is the same error message so for an attacker is enough to send one spoofed valid or invalid packet to the query port of the server using the same source IP and port of the same server for being able to put it in an endless "ping-pong" state where it sends and receives its same packets forever. Anyway the effect doesn't look very dangerous because the server is still running and there are no problems for the players to join it except a possible lag caused by the CPU which reaches almost the 100% (effect increased by the introduction of the leverage ssc encryption of the query/reply packets in version 3.0.5). But exists another type of attack involving this vulnerability which could allow even to perform an automatic distribuited Denial of Service between all the internet AA3 servers. Practically if there are, for example, 400 servers online an attacker needs only to send the spoofed packet from the first server (spoofed address) to the other 399, then doing the same with the second, the third and so on creating an endless flooding of the entire network of servers. As already said the vulnerability requires the ability of sending spoofed packets so the attacker must be able to do it. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip udpsz -P SERVER -p 39300 SERVER 39300 1 or udpsz -l 10 -P SERVER -p 39300 SERVER 39300 1 or udpsz -P SECOND_SERVER -p 39300 FIRST_SERVER 39300 1 note: instead the LAN servers use port 9002 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################