#######################################################################

                             Luigi Auriemma

Application:  PunkBuster
              http://www.punkbuster.com
Versions:     is not possible to specify the exact latest versions of
              the PB servers vulnerable since the new patched versions
              have been released in different moments, some of them
              just recently.
              Anyway any PB update after the 22 Oct 2007 should be
              considered safe.
              Currently still exist some games which don't have a
              patched PB version like Doom 3, Prey and others
Platforms:    Windows, Linux, Mac
Bug:          Denial of Service
Exploitation: remote
Date:         16 Apr 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


PunkBuster is the most used anti-cheating system for commercial games.


#######################################################################

======
2) Bug
======


I started to look at this bug when I found the format string in the
Doom 3 engine, so at the beginning of September 2007, and I released a
public tool for testing the problem the 16 October.
Developers were contacted exactly 6 days later.

In short exist some PunkBuster packets (well, "existed" since after the
patch the things have been changed a bit) which are automatically
visualized in the game server console and saved in the log files when
received.
The source of the packets is not important, so any computer can just
send this packet to the port of the game server without problems and
without requirements.

The logging operation is flushed so the data is written on the disk
immediately taking more resources.
The effects of this type of logging and the visualization of any packet
leads to a deep CPU and resources consumption which freezes completely
the server and the same entire system.

This effect has been tested on all the games which support PunkBuster
on both LAN and moreover on Internet since is not necessary to send
many or big packets to see the effects.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/papers/pbmsgs.zip

  pbmsgs -l 20 SERVER PORT boom


#######################################################################

======
4) Fix
======


The problem was fixed with the versions of PunkBuster server after the
22 Oct 2007 (when I reported the problem to the developers), so almost
all the games should be safe.
The admins running unsafe PB versions (Doom 3, Prey and so on) should
contact Evenbalance which will give them a manual replacement.


#######################################################################