what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

dropteamz.txt

dropteamz.txt
Posted Oct 6, 2007
Authored by Luigi Auriemma | Site aluigi.org

Dropteam versions 1.3.3 and below suffer from format string, buffer overflow, and various other vulnerabilities.

tags | advisory, overflow, vulnerability
SHA-256 | ca2a0666e167ea1101122617afa4c111a58fdd038b9ba6445e2b39abfcde587c

dropteamz.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: Dropteam
http://www.battlefront.com/products/dropteam/news.html
Versions: <= 1.3.3
Platforms: Windows, Linux and Mac
Bugs: A] format string through packet 0x01
B] buffer-overflow through packet 0x5c
C] heap-overflow through packet 0x18
D] various memory crash through packet 0x4b
E] account password sent to server
Exploitation: remote, versus server
Date: 05 Oct 2007
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Dropteam is a tactical war game developed by Battlefront
(http://www.battlefront.com).


#######################################################################

=======
2) Bugs
=======

------------------------------------
A] format string through packet 0x01
------------------------------------

Various format string vulnerabilities can be exploited through the
packet 0x01, where the account username, the account password and the
nickname passed by the client are used directly as format argument of
sprintf().

Note that the output strings will be showed in the reply packet sent by
the server, so an attacker can tune his exploit for the maximum
percentage of success if necessary.


--------------------------------------
B] buffer-overflow through packet 0x5c
--------------------------------------

A buffer-overflow is exploitable through packet 0x5c, where a stack
buffer is filled with the various data supplied by the client without
the proper checks.


------------------------------------
C] heap-overflow through packet 0x18
------------------------------------

Here we have a heap buffer of 16 kilobytes where the program stores a
max amount of 131070 (16 bit << 1) numbers of 32 bit supplied by the
attacker.


-------------------------------------------
D] various memory crash through packet 0x4b
-------------------------------------------

Another heap-overflow vulnerability is exploited during the handling of
the 0x4b packet, composed by max 255 strings with a size of max 65535
bytes each one.


----------------------------------
E] account password sent to server
----------------------------------

For playing with Dropteam online is necessary to register an account
using a valid product key of the bought game.
The packet used by the client for joining the server is composed by the
following fields: account username, account password, game version and
nickname.
The problem is just in the account credentials which are transmitted to
the server in which the client wants to join allowing any server's
admin (anyone can set up a server) to collect and use these accounts.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/dropteamz.zip


#######################################################################

======
4) Fix
======


The bugs will be probably fixed in the next patch.


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://forum.aluigi.org
http://mirror.aluigi.org
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close