####################################################################### Luigi Auriemma Application: Soldat http://www.soldat.pl Versions: game <= 1.4.2 and dedicated server <= 2.6.2 Platforms: Windows (Linux not affected) Bugs: A] clients crash caused by too long strings on the screen B] denial of service through file transfer port C] easy IP banning Exploitation: remote A] versus clients B] versus server (Windows only) C] versus specific clients Date: 23 Aug 2007 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Soldat is a small and cool 2D multiplayer game with tons of players and servers around the world. ####################################################################### ======= 2) Bugs ======= First a short introduction about the types of servers available in the game: - game server / non-dedicated server: a player runs Soldat.exe, starts the server and plays in it automatically (player is both client and server at the same time) - game dedicated server: Soldat.exe -dedicated, as above but the player cannot play, he will only see a graphical interface for handling the server - dedicated server: this is referred to the stand-alone dedicated server (uses a version number different than the game) which is available for both Windows and Linux and runs in console --------------------------------------------------------- A] clients crash caused by too long strings on the screen --------------------------------------------------------- The messages visualized on the screen of the clients can't be longer than about 512 bytes otherwise a crash will occurr. An attacker can exploit this problem in at least two ways: - if the server is non-dedicated he can simply send this long string with a line feed at the end to the file transfer port (default 23083), the server will crash immediately - if the server is dedicated the attacker can send the long string as an in-game chat message and any player in it will crash like in the previous example Doesn't seem possible to use this bug for executing malicious code. ----------------------------------------------- B] denial of service through file transfer port ----------------------------------------------- The file transfer port (default 23083 or client port plus 10) supports input strings of max 16384 bytes (life feed included) and can be a problem for both the dedicated and non-dedicated Windows server: - the dedicated server runs in a classical console, which means that an attacker can use some chars (like 0x07) for "beeping" and freezing the Windows console due to the visualization of the requested map on the screen, during the attack the players in the server cannot play and the server is a hell of beeps and slowness - the game dedicated server (Soldat.exe -dedicated) suffers of a similar effect too since it will become very slow to use and to play on it ------------------ C] easy IP banning ------------------ this is a problem affecting Soldat from long time, in fact the bug is just in the lack of a real check on the players which join the server, in short it's enough one single UDP packet for being inside it. While in the past the banning happened with malformed packets (I wrote a PoC for it), in the recent versions is possible to exploit this problem sending multiple join packets causing a banning of 20 minutes for the source IP address. So if an attacker can spoof his packets he could ban one or more IP addresses on a specific server. In my opinion this is not a so great problem, I have reported it here only for thoroughness. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/soldatdos.zip ####################################################################### ====== 4) Fix ====== No fix. I'm in contact with the developer from over two weeks but unfortunately I'm not able to explain these bugs better than how I have done here... #######################################################################