America's Army 3 new and old vulnerabilities

aluigi · **Posted:** 12 Jul 2009 23:39

well if this is the beginning I don't want to imagine how will be the future of this game.
I'm talking about America's Army 3 released less than one month ago and of which I can affirm that from a security point of view it's a disaster.

in the moment I'm writing AA3 3.0.4 is affected by at leat 4 vulnerabilities, of which one is still a work-in-progress:
- http://aluigi.org/adv/aa3blah-adv.txt
- http://aluigi.org/adv/ut3sticle-adv.txt
- http://aluigi.org/adv/ut3mendo-adv.txt
- the JOINSPLIT bug

I have found the first one just some days ago.
the other 2 are the famous vulnerabilities which I found in the Unreal 3 engine in the 2008 and are magically still here in this new game.

at the moment I have unofficially fixed the first 2 while the third is a complete chaos so forget a quick fix.

now about this fourth vulnerability, it's related to the senseless JOINSPLIT command which practically allows one single client to occupy all the slots of the server it wants.
so, yes, it's enough to remove this command to avoid the bug (I will release the work-around when I will release the advisory).

the cause is still not much clear anyway the following is the proof-of-concept for testing it and if someone has an own internet server let me know the result of the test:

Code:

unrealfp -1 -x 7 -s JOINSPLIT 1 100 -l "ui_bink_master?Name=player?team=0?Face=0" 127.0.0.1 8777

aluigi · **Posted:** 13 Jul 2009 23:23

have been just released the version 3.0.5 of AA3.
this new version fixes only the first bug listed before so all the other 3 are still there.
I have also released the advisory for the forth bug but there is no fix because the problem looks more complex than what I thought:

http://aluigi.org/adv/aa3boh-adv.txt

aluigi · **Posted:** 14 Jul 2009 20:01

new vulnerability, also interesting to read in my opinion:
http://aluigi.org/adv/aa3mah-adv.txt

aluigi · **Posted:** 14 Jul 2009 23:55

found other 2 new vulnerabilities:
http://aluigi.org/adv/aa3pwood-adv.txt

Andrew · **Joined:** 22 Mar 2009 06:59 **Posts:** 5

Aluigi, to add to your exploits, I believe because the aa3 query protocol payload is so large (and the request so tiny), and that the protocol does not use a challenge/response algorithm to verify/mitigate against spoofed packet origins, you could spoof the source address of the udp query packet and use these game servers to packet flood arbitrary addresses (like UT did prior to a challenge/response algorithm being made).

aluigi · **Posted:** 15 Jul 2009 17:34

just released another new advisory, this time involving the handling of the fragmented packets (ever in the usual query port 39300 which I can define the most bugged component of this game):
http://aluigi.org/adv/aa3memset-adv.txt

take a look because it's interesting and allows to understand why using signed fields should be ever avoided.

I guess that for the moment this is the last advisory because in my opinion 7 vulnerabilities all exploitable with only one single packet in a game like America's Army 3 (played by tons of people and practically the most recent game in this moment) are enough for it and for me.

the last 3 bugs I have found should be enough easy to fix so, in case of problems or if the patch 3.0.6 will not solve them, let me know and I can make a patch for them on the fly.

aluigi · **Posted:** 13 Sep 2009 16:21

the new 3.0.6 patch released some days ago IS still vulnerable to all the 5 bugs I have found:
http://aluigi.org/adv/aa3boh-adv.txt
http://aluigi.org/adv/aa3mah-adv.txt
http://aluigi.org/adv/aa3pwood-adv.txt [A]
http://aluigi.org/adv/aa3pwood-adv.txt [B]
http://aluigi.org/adv/aa3memset-adv.txt

Luigi Auriemma

America's Army 3 new and old vulnerabilities