####################################################################### Luigi Auriemma Application: PunkBuster http://www.punkbuster.com Versions: is not possible to specify the exact latest versions of the PB servers vulnerable since the new patched versions have been released in different moments, some of them just recently. Anyway any PB update after the 22 Oct 2007 should be considered safe. Currently still exist some games which don't have a patched PB version like Doom 3, Prey and others UPDATE 09 Aug 2009 There is another way for having a similar negative effect although with some limitations, check the updated parts of this advisory Platforms: Windows, Linux, Mac Bug: Denial of Service Exploitation: remote Date: 16 Apr 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== PunkBuster is the most used anti-cheating system for commercial games. ####################################################################### ====== 2) Bug ====== I started to look at this bug when I found the format string in the Doom 3 engine, so at the beginning of September 2007, and I released a public tool for testing the problem the 16 October. Developers were contacted exactly 6 days later. In short exist some PunkBuster packets (well, "existed" since after the patch the things have been changed a bit) which are automatically visualized in the game server console and saved in the log files when received. The source of the packets is not important, so any computer can just send this packet to the port of the game server without problems and without requirements. The logging operation is flushed so the data is written on the disk immediately taking more resources. The effects of this type of logging and the visualization of any packet leads to a deep CPU and resources consumption which freezes completely the server and the same entire system. This effect has been tested on all the games which support PunkBuster on both LAN and moreover on Internet since is not necessary to send many or big packets to see the effects. UPDATE 09 Aug 2009: I have found a new way for having an effect similar than the previous problem although it's limited by the fact that it's in-game (so not anonymous) and PB no longer uses fflush which drammatically reduced the performances of the server. So the result could change between the various games, for example Battlefield 2 doesn't show negative effects on the performances while Call of Duty 4 (based on the Quake 3 engine like the majority of the games supported by PB) lags so much that all the players loose their connection and the same happens also on other games. The requirement for the attacker is only to have PunkBuster enabled on his client (pb_cl_enable) but it's not required to have the PnkBstrA/B service activate or having a valid guid because the attack can be performed for various seconds or more time depending by the loss of performances on the server (just the time for disconnecting all the players). Obviously with the service active and the valid guid there are no limitations in the duration of the attack (except when the connection is lost as effect of the attack). The reason why the attack is in-game it's because that type of packet uses a 32 bit ID assigned to the player when he joins the server and which is checked by the server for accepting the packets. ####################################################################### =========== 3) The Code =========== http://aluigi.org/papers/pbmsgs.zip pbmsgs -l 20 SERVER PORT boom UPDATE 09 Aug 2009: http://aluigi.org/mytoolz/proxocket.zip http://aluigi.org/poc/pbmsgsdos2.zip - copy ws2_32.dll and myproxocket.dll in the folder of the game which uses Punkbuster - launch the client - enable punkbuster (pb_cl_enable) - join the server (it must support punkbuster) - the proof-of-concept will continue to send packets till the closing of the client or an error in sendto (for example if the remote port is no longer open or the socket used by the client is no longer active) ####################################################################### ====== 4) Fix ====== The problem was fixed with the versions of PunkBuster server after the 22 Oct 2007 (when I reported the problem to the developers), so almost all the games should be safe. The admins running unsafe PB versions (Doom 3, Prey and so on) should contact Evenbalance which will give them a manual replacement. UPDATE 09 Aug 2009: The new problem (pbmsgsdos2) is not fixed yet. #######################################################################