####################################################################### Luigi Auriemma Application: America's Army 3 http://www.americasarmy.com/aa3.php Versions: <= 3.0.8 Platforms: Windows Bugs: A] NULL pointer caused by big string and 0x1ff6 limit B] access violations caused by negative string array Exploitation: remote, versus server Date: 15 Jul 2009 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== America's Army 3 (AA3) is the new free game of the AA series developed for the U.S. Army as an help with the military recruitments. Released about 20 days ago it's already played by thousands of players and with more than 400 online servers (http://login.aa3.americasarmy.com/servers). ####################################################################### ======= 2) Bugs ======= The UDP port 39300 (or 9002 in LAN mode) of the server is used for replying to the queries of the AA3 clients, sending them back all the informations about the status of the server and the match. The protocol used on this port supports various types of data that, although needed only in the server's replies, are parsed by both clients and server using the same set of functions located in acpu_decompile. One of these types of data is the string array (type 0x07) which allows to specify multiple sequential strings and it's the common point of the vulnerabilities disclosed in this advisory: ----------------------------------------------------- A] NULL pointer caused by big string and 0x1ff6 limit ----------------------------------------------------- From my tests seems that AA3 sets 0x1ff6 as maximum size of the block which contains the data of the query/reply packet and uses it to know if reading or not a value and so on. In the case of the strings array we have that after the allocation of the array in memory (elements * 4) AA3 starts to read each string which is composed by a signed 16 bit field declaring the size of the string and then the string. If the 0x1ff6 limit is overtaken during the reading of the data AA3 generates a "detected overrun" log and puts a NULL in the current position of the array instead of the pointer to the new buffer with the read string and continues the parsing. After this loop AA3 starts the handling of the collected strings copying them in other allocated buffers and the problem arrives at the handling of the NULL pointers used directly in a memcpy() causing the immediate crash of the entire server. ---------------------------------------------------- B] access violations caused by negative string array ---------------------------------------------------- In short using a negative number of strings (so between 0x8000 and 0xffff) causes the termination of the server due to some access violations. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/aa3pwood.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################