####################################################################### Luigi Auriemma Application: America's Army 3 http://www.americasarmy.com/aa3.php Versions: <= 3.0.6 Platforms: Windows Bug: resources consumption and crash Exploitation: remote, versus server Date: 13 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army 3 (AA3) is the new free game of the AA series developed for the U.S. Army as an help with the military recruitments. Released about 20 days ago it's already played by thousands of players and with more than 400 online servers (http://login.aa3.americasarmy.com/servers). ####################################################################### ====== 2) Bug ====== AA3 is affected by an unusual and weird problem in the handling of the incoming players and their authentiation with the master server since everytime that a player joins the server he is automatically verified with this centralized AA3 authentication server (auth.aa3.americasarmy.com). With my Unreal Fake Players tool (unrealfp) is possible to test the partial joining of players and during a normal test I noticed an huge amount of errors referred to the MBS component plus the crash of the whole server after some seconds. The cause of the problem is not clear and has been verified only on my test server (both GLOBAL and LAN) where have been confirmed the following effects: - CPU almost at 100% - huge usage of the network bandwidth for the verification of the players with the authentication server (for each player is performed the resolution of the hostname auth.aa3.americasarmy.com and a TCP connection to it) - crash of the entire server after a variable amount of time (less than 30 seconds in my tests) Although the problem can be exploited with a "normal" fake players attack I have seen better results with the usage of the JOINSPLIT command which allows a single player to occupy various slots on the server. The following are the typical error messages visible in the server's logs during the verification of the problem: Log: MBSEngine Error -1 Log: MBS Error: -1 (length 84): Log: [sdk->set_server_player_attribute():823] 'unable to set attribute of unknown player' or Log: MBSEngine Error -1 Log: MBS Error: -1 (length 33): Log: error -1 (general error) occurred ####################################################################### =========== 3) The Code =========== http://aluigi.org/fakep/unrealfp.zip unrealfp -s JOINSPLIT 1 100 -l "ui_bink_master?Name=player?team=0?Face=0" SERVER 8777 if needed repeat the command (even 10 times) till the verification of the vulnerability. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################