####################################################################### Luigi Auriemma Application: Babo Violent 2 http://www.rndlabs.ca http://baboviolent.net Versions: <= 2.08.00 Platforms: Windows and Linux Bugs: A] crash through malformed value B] format string C] crash through unexistent map D] crash through malformed UDP packet Exploitation: A, B and C versus server (both dedicated and game) D versus both clients and server Date: 14 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@xxxxxxxxxxxxx web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Babo Violent 2 is a famous free multiplayer game developed by RndLabs (now under bitHeads). ####################################################################### ======= 2) Bugs ======= -------------------------------- A] crash through malformed value -------------------------------- The data with ID 0xca, 0xcb, 0xcc, 0xce, 0xcf and 0xd0 have a first byte which if is set to a value major or equal than 0x28 (this number can change) causes the crash of the program. In my tests doesn't seem possible to use this bug for executing remote code although some registers change their values using different data after this byte. ---------------- B] format string ---------------- The output function used by the server is vulnerable to a format string bug exploitable through the messages and the admin login. An easy way to test the problem is through the sending of a message containing %x. ------------------------------- C] crash through unexistent map ------------------------------- If the client specifies a map which is not available, the server will terminate due to the exception (stream != NULL). What the server does is calling fopen() with the value passed by the client plus the .bvm extension in the map folder (note that if the filename is not NULLed there will be many garbage bytes before the extension). ------------------------------------- D] crash through malformed UDP packet ------------------------------------- Both the servers and the clients open another port other than 3333 which is 11111, this port is used for LAN queries and by clients. In short each UDP packet is composed by a 16 bit number which specifies the size of the data in the packet. It's enough to send a small UDP packet with a big 16 bit value for forcing the program (client or server) to read outside the available memory of the packet causing a crash: memcpy(buffer_of_65536, packet + 9, *(uint16_t *)(packet + 7)); Note that all the IP addresses of the clients are visibile in the server through the "playerlist" command, so an attacker can decide to "kick" only the players he wants or all of them or just the entire server. Note: the password protection in servers doesn't seem to work very well that's why sometimes these in-game bugs can be exploited also in protected servers without knowing the needed keyword, it's enough to reconnect if the connection closes... and be lucky. Another interesting thing is that the sender of the chat messages is specified by the client so is possible to spoof any message. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/bv2x.zip ####################################################################### ====== 4) Fix ====== I have posted the details of the bugs on dev.baboviolent.net about ten days ago but nobody has done something. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org