####################################################################### Luigi Auriemma Application: BFCommand & Control Server Manager http://www.bfcommandcontrol.org Versions: BFCC <= 1.22_A BFVCC <= 2.14_B BFVCCDaemon is NOT vulnerable Platforms: Windows Bugs: A] full anonymous login bypass B] login bypass through NULL username C] invulnerable clients and full privileges D] server full after consecutive connections Exploitation: remote Date: 29 Aug 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== BFCommand & Control Server Manager is a server manager available for the games Battlefield 1942 (with the name BFCC), Battlefield Vietnam (BFVCC) and Battlefield 2 (BF2CC). The difference between these server managers and the others available on Internet is that BFVCC is also directly included in the CD of Battlefield Vietnam so it's used on many servers. I have made a quick search on Internet and I have found that over the 20% of public Battlefield Vietnam servers uses one of the vulnerable versions of BFVCC on standard ports which, through these vulnerabilities, means full access to the management of these game servers and to other possible sensitive informations like the POP3 password of the admin. BFVCCDaemon is not vulnerable because it uses another protocol and in fact is considered a different program altogether. Then on Internet the amount of BFV servers which use BFVCCDaemon is almost unexistent. ####################################################################### ======= 2) Bugs ======= ------------------------------ A] full anonymous login bypass ------------------------------ This bug can be explained with the following words: does not exist a login mechanism. In fact the "login" command is totally useless because anyone can connect to the server manager and take its control with full "Super Admin" privileges. The most interesting thing is that without logging into the server the attacker doesn't exist: the logs don't report his operations (except for a couple of commands if used) and for the server there are no people connected in that moment. Really a good way for controlling the server like a ghost and with the maximum relax and power. ------------------------------------- B] login bypass through NULL username ------------------------------------- The "login" command naturally is composed by an username and a password but the cool thing is that a NULL byte (0x00) in the username field will bypass the authentication and the server will grant the access to the attacker: "login" "\x1e" // command "\0" "\x1e" // username (NULL byte) "none" "\x1e" // password "none" "\x1e" // username "" "\x1e" // ??? "" // ??? "\x00\x40\x40\x00" // command delimiter ------------------------------------------- C] invulnerable clients and full privileges ------------------------------------------- The admins (and moreover the local admin) have the ability of booting the other remote admins. The command "Boot" and any other command which has effect on the clients are totally useless since the server continues to keep the connection established and any operation or disconnection is made by the client not the server. In short a modified client (for example placing a NULL byte where is located the unicode command Boot in the executable) cannot be booted. Then each admin can be limited in what he can do or not by setting some permissions in the "User Profiles" section. Just like for the Boot command also the permissions are client-side so an admin with a very restricted power can take the full control of the server manager. -------------------------------------------- D] server full after consecutive connections -------------------------------------------- A sort of "fake players" attack with the difference that here after 20 consecutive connections (just a simple connect and disconnect) the server becomes full forever. In short if the client doesn't send the "login" command the server considers the connection in an idle state and when is reached the limit of 20 connections (although the connections and the sockets have been closed!) it becomes full and nobody can use the server manager from remote. Naturally also this attack is not showed in the logs. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/bfccown.zip ####################################################################### ====== 4) Fix ====== No fix. No reply from the developers. I suggest to the users of BFVCC to use BFVCCDaemon which is not vulnerable. #######################################################################