####################################################################### Luigi Auriemma Application: America's Army 3 http://www.americasarmy.com/aa3.php Versions: <= 3.0.7 Platforms: Windows Bugs: A] weird NULL pointer B] 0x01 writing access violation Exploitation: remote, versus server Date: 20 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army 3 (AA3) is the new free game of the AA series developed for the U.S. Army as an help with the military recruitments. After one year it's still very played with over 200 Internet servers: http://login.aa3.americasarmy.com/servers ####################################################################### ======= 2) Bugs ======= The infamous port 39300 (or 9002 in LAN mode) of the server is still the cause of other vulnerabilities. Note that AA3 is still affected by the bugs explained in my aa3pwood advisory (while aa3memset has been fixed) so this one is an additional proof of how much badly has been written that acpu_decompile function. This is also the reason why I have not debugged much these problems. --------------------- A] weird NULL pointer --------------------- I have not investigated this bug, anyway through some particular packets is possible to crash the server due to a NULL pointer in various locations of the code depending by the data in such packets. -------------------------------- B] 0x01 writing access violation -------------------------------- This problem is a bit more interesting than the previous one because there is an instruction that writes one byte (0x01, I have not checked if it can be changed/controlled) in a char array with the 16bit index controlled by the attacker. So the attacker can crash the server through the writing of this byte in the unallocated memory after the one where is located this array/buffer or he can cause other types of possible troubles (for example during a test the process started to allocate lot of memory due to the writing of the byte in a particular location). ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/aa3again.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################