Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 15:46

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 
Author Message
 Post subject: punkbuster server remote server command execution exploit
PostPosted: 30 Mar 2009 16:40 

Joined: 30 Mar 2009 16:31
Posts: 1
I saw this link in #milw0rm and tested in quake 4, it worked.

http://pastebin.com/f2a5971db


Top
 Profile  
 
 
 Post subject: Re: punkbuster server remote server command execution exploit
PostPosted: 30 Mar 2009 18:50 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
really very interesting.
I tried to send a PB_Y packet to my ET 2.60b test server (with PB NOT update, v1.285) and yes was possible to execute any command (rconpassword asdf, quit, any) but after the pb_sv_update the YPG server is misteriously vanished because the 0x59 type seems no longer handled.

anyway I have some doubts when you say to have seen it on milw0rm, because in the moment I'm writing there is no trace in all internet (included milw0rm) of this vulnerability.

*EDIT*: post6011.html#p6011


Top
 Profile  
 
 Post subject: Re: punkbuster server remote server command execution exploit
PostPosted: 30 Mar 2009 20:03 

Joined: 27 Jul 2008 09:23
Posts: 13
any chance to do that in q3? If not very great :)


Top
 Profile  
 
 Post subject: Re: punkbuster server remote server command execution exploit
PostPosted: 31 Mar 2009 14:39 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if you don't have perl or don't know how to build the packet for making the test you can just use pbmsgs: http://aluigi.org/papers.htm#pbmsgs

pbmsgs 127.0.0.1 27960 " \"\" CMD \"quit\""


Top
 Profile  
 
 Post subject: Re: punkbuster server remote server command execution exploit
PostPosted: 31 Mar 2009 21:08 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
well, I have just finished to exchange some mails with EvenBalance about this matter but they don't want that I quote some of the content of the mails so I will explain everything with my own words which are more clear:

the YPG server was a special function that PunkBuster added by request of an hosting company and its job was granting password-less rcon access to the Return to Castle Wolfenstein game servers owned by this company.
practically this version of the PunkBuster server was created only for this company, something like a private version to be used in its LAN parties.

anyway due to a programming mistake (EvenBalance refers to a #define, so something like a "#define YPG" left uncommented in the code) this and probably some other specific functions remained active also in the public release which is then being used in all the games which are supported by PunkBuster.

so this should solve all the doubts about the faults of EvenBalance.

obviously on the other side the effects are devastating because due to this distraction error that simple feature has gained the power of a backdoor so anyone aware of it was able to execute anonymous and spoofed rcon commands on any game server with PunkBuster enabled.

searching on the PunkBuster website the only reference about RTCW and the "YPG" acronym seems to be a certain YouPlayGames company which had a contract with both id software and EvenBalance just about this game:
http://www.evenbalance.com/index.php?pa ... unce03.php (Tuesday March 4th, 2003)
http://www.idsoftware.com/business/pres ... 0304120000
http://web.archive.org/web/200310091023 ... /News.aspx

YouPlayGames started at the beginning of 2003 and was closed in February 2004 (http://www.digismack.net/resume.php) so doing some calculations we can say that the PB_Y packet has been active from the 2003 till October 2007 (over 4 years), date in which the function slowly started to be removed from the games.
in the moment I'm writing Doom 3 and Quake 4 are the only games still in danger but EvenBalance will remove the function today.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 5 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: