#######################################################################

                             Luigi Auriemma

Application:  Soldier of Fortune II with PunkBuster enabled
              http://www.ravensoft.com/soldier2.html
              http://www.PunkBuster.com
Versions:     PB for server < 1.180
Platforms:    Windows, Linux and Mac
Bug:          format string
Exploitation: remote, versus server (in-game)
Date:         16 Feb 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


PunkBuster is a loved/hated anti-cheat system developed by Even Balance
(http://www.evenbalance.com) and officially used in many diffused games
like America's Army, Battlefield 1942/Vietnam/II, Call of Duty, Doom 3
and almost all the games based on the Quake 3 engine.


#######################################################################

======
2) Bug
======


The PunkBuster server module supports the automatic kick and ban of the
players which use invalid cvars, for example with values outside the
range specified by the server.
When this situation occurs PB kicks the client using the game's
functions (like a clientkick command).
The message sent to the client contains both the name of the monitored
cvar and its value on the client, the resulted string is identified as
"reason".

The problem is that naturally Soldier of Fortune II makes no checks on
the "reason" parameter (watch trap_DropClient) which is passed by PB or
by the server admin for kicking a player, so the subsequent sprintf()
call is vulnerable to a format string attack (it is just a double
sprintf()).

Normally there is no way to exploit this bug if you are not the server
administrator (typing: clientkick 0 %n%n%n%n%n) but PunkBuster is the
way which allows any player inside the server to crash or possibly take
the control of the remote system.


#######################################################################

===========
3) The Code
===========


- launch a client
- join a server (naturally with PunkBuster enabled)
- type /pb_cvarlist
- choose one of the monitored cvars like "snaps" for example
- type:    /set CVAR %n%n%n%n%n%n
  example: /set snaps %n%n%n%n%n%n
- the server will crash after some second during the kicking of the
  client


#######################################################################

======
4) Fix
======


Evenbalance has quickly fixed the bug after my report, version 1.180.


#######################################################################