####################################################################### Luigi Auriemma Application: Battlefield 2 http://www.battlefield.ea.com/battlefield/bf2/ Versions: <= 1.50 (aka 1.5.3153-802.0) Platforms: Windows Bug: failed assertion Exploitation: remote, versus server Date: 29 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Battlefield series is one of the most famous and played series of games deeply devoted to multiplayer gaming. The series is developed by DICE (http://www.dice.se) and published by Electronic Arts. ####################################################################### ====== 2) Bug ====== Battlefield 2 allows to host and use a stand-alone voip server on a different port or even on a different host through the VoipServerRemote and VoipServerRemoteIP fields in the server launcher. By default the server uses its internal voip server and in any case it binds only the local interface 127.0.0.1 except if is specified an external voip server on a different network. This particular UDP port set to 55124 is called VoipBFServerPort and it's used by the server as fixed port for communicating with the voip server, that's why by default it's not bound on all the interfaces. So if VoipEnabled is set (default) then the server is vulnerable. Anyway due to these big conditions I can't classify the following bug as a real vulnerability (although there are for sure some real servers that meet these requirements) and so I report it ONLY for thoroughness. In short any UDP packet ending with an 'h' (0x68) to port 55124 having a length different than 11 bytes will terminate the server with the following failed assertion: "BFVoipChallengeString packet length is invalid" I have thought to various scenarios for exploiting this bug in the default condition (local interface) like having the luck of another UDP service on the same server that replies using a packet ending with the 0x68 byte to a request spoofed from 127.0.0.1 but it's really sci-fi... Battlefield 2142 is NOT vulnerable. ####################################################################### =========== 3) The Code =========== it's enough to send a packet of at least one byte with the last one equal to 0x68, example: http://aluigi.org/testz/udpsz.zip udpsz -b 0x68 SERVER 55124 1 ####################################################################### ====== 4) Fix ====== No fix. #######################################################################