<<< Date Index >>>     <<< Thread Index >>>

Limited buffer-overflow and arbitrary memory access in Star Wars Battlefront 1.11



#######################################################################

                             Luigi Auriemma

Application:  Star Wars Battlefront
              http://www.lucasarts.com/games/swbattlefront/
Versions:     <= 1.11
Platforms:    Windows
              Xbox and Playstation 2 have not been tested
Bugs:         A] limited buffer-overflow in nickname
              B] crash caused by arbitrary memory access
Exploitation: remote, versus server (in-game)
Date:         24 November 2004
Author:       Luigi Auriemma
              e-mail: aluigi@xxxxxxxxxxxxxx
              web:    http://aluigi.altervista.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


Star Wars Battlefront is the newest game based on the universe of Star
Wars, is developed by Pandemic Studios (http://www.pandemicstudios.com)
and has been released at September 2004.

This game is available also for Xbox and Playstation 2. The dedicated
server for Playstation 2 runs on Windows and uses the same join
protocol of the PC version, in fact I have tested it and is vulnerable.
Since I'm not able to directly test also these 2 platforms I cannot
confirm if they are vulnerables or not.


#######################################################################

=======
2) Bugs
=======

--------------------------------------
A] limited buffer-overflow in nickname
--------------------------------------

If a client uses a too big nickname causes a limited buffer-overflow in
the server. "Limited" because doesn't seem possible to overwrite
important memory zones and, so, to execute remote code.


------------------------------------------
B] crash caused by arbitrary memory access
------------------------------------------

Exists a strange field in the join request used by this game.
This field is a 32 bits value that must contain a memory offset used to
build the following debug message:

 "player %s had crash at 0x%x\n"

where %s is just the memory address specified by the client.
The effect, naturally, is that an attacker can force the server to
read an unreacheable memory location causing its immediate crash.
I have no idea about why has been used a so stupid and dangerous
method.
Note: this bug doesn't seem to affect the Playstation 2 dedicatd
server.


Both these bugs must be considered in-game bugs (traduced: if the
server is protected with a password, the attacker must know it), simply
because the password field (a 32 bits checksum) is controlled before
the other informations so the packet is rejected if the password
provided by the attacker is wrong.


#######################################################################

===========
3) The Code
===========


http://aluigi.altervista.org/fakep/swbfp.zip


A] swbfp -s 100 localhost

sends a nickname of 100 chars to the server


B] swbfp -m 1234 localhost

forces the server to read the data at offset 1234 (0x000004d2)


#######################################################################

======
4) Fix
======


No fix.
My first mail is dated 26 Oct 2004, the developers said to work on the
fixing of the bugs but after all this time and after the release of 2
normal patches (so, not for these bugs) the situation is unknown...
useless to ask the status of the patch to Pandemic, my latest two
"keep-alive" mails have been completely ignored.


#######################################################################


--- 
Luigi Auriemma
http://aluigi.altervista.org