####################################################################### Luigi Auriemma Application: Battlefield 1942 and Vietnam http://www.battlefield1942.com Versions: Battlefield 1942 <= 1.6.19 Battlefield Vietnam <= 1.2 Platforms: Windows and Mac Bug: client crash Exploitation: remote, versus clients (broadcast) Date: 07 December 2004 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Battlefield 1942 and Vietnam are two of the most known and played FPS games based on the relative military conflicts. They are developed by Digital Illusions (http://www.dice.se) and have been released respectively at September 2002 and March 2004. ####################################################################### ====== 2) Bug ====== Like any multiplayer game, Battlefield contacts a master server to know all the available online servers and then automatically queries them to collect informations in the in-game browser. The problem is in the parameter "numplayers" of the server's reply that if is a too big number causes an immediate freeze of the client followed (after some seconds) by a crash caused by the access to a NULL pointer. This is a broadcast client crash so a single attacker visible in the master server list is able to passively exploit the bug versus any vulnerable client online. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/bfcboom.zip ####################################################################### ====== 4) Fix ====== Battlefield 1942 1.61b Battlefield Vietnam 1.21 Note: this patch for Battlefield 1942 corrects, finally, also the known bug in the old Gamespy cd-key SDK (aka gshboom, 24 February 2004) used by the game and affecting the servers. #######################################################################