####################################################################### Luigi Auriemma Application: America's Army 3 http://www.americasarmy.com/aa3.php Versions: <= 3.0.8 Platforms: Windows Bug: negative memset overflow Exploitation: remote, versus server Date: 15 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army 3 (AA3) is the new free game of the AA series developed for the U.S. Army as an help with the military recruitments. Released about 20 days ago it's already played by thousands of players and with more than 400 online servers (http://login.aa3.americasarmy.com/servers). ####################################################################### ====== 2) Bug ====== The port 39300 (or 9002 in LAN mode) of the server is used for replying to the queries of the AA3 clients, sending them back all the informations about the status of the server and the match. The protocol used on this port allows to specify fragmented packets for dividing the data which is too big (usually each packet has a max size of 1024 bytes) in multiple parts. The function which handles the header of each packet takes the signed 16 bit field which specifies the total number fragments that will be sent, multiplies it by 2, allocates the needed memory and then performs a memset(new_buffer, 0, fragments * 2) for clearing it. Being a signed 16 bit field means that if it contains the number 0xffff it will be read as -1 (0xffffffff) so when multiplied by 2 it will result in 0xfffffffe which is the amount of bytes used by that memset for clearing the buffer with the result of the immediate crash of the entire server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/aa3memset.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################