Ah, the ever-present PDF, and our love-hate relationship with the format. We’ve lost count of how many vulnerabilities have been fixed in PDF software, but it’s been a bunch over the years. This week, we’re reminded that Adobe isn’t the only player in PDF-land, as Foxit released a round of updates, and there were a couple serious problems fixed. Among the vulnerabilities, a handful could lead to RCE, so if you use or support Foxit users, be sure to go get them updated.
PunkBuster
Remember PunkBuster? It’s one of the original anti-cheat solutions, from way back in 2000. The now-classic Return to Castle Wolfenstein was the first game to support PunkBuster to prevent cheating. It’s not the latest or greatest, but PunkBuster is still running on a bunch of game servers even today. [Daniel Prizmant] and [Mauricio Sandt] decided to do a deep dive project on PunkBuster, and happened to find an arbitrary file-write vulnerability, that could easily compromise a PB enabled server.
One of the functions of PunkBuster is a remote screenshot capture. If a server admin thinks a player is behaving strangely, a screenshot request is sent. I assume this targets so-called wallhack cheats — making textures transparent, so the player can see through walls. The problem is that the server logic that handles the incoming image has a loophole. If the filename ends in .png as expected, some traversal attack checks are done, and the png file is saved to the server. However, if the incoming file isn’t a png, no transversal detection is done, and the file is naively written to disk. This weakness, combined with the stateless nature of screenshot requests, means that any connected client can write any file to any location on the server at any time. To their credit, even Balance, the creators of PunkBuster, quickly acknowledged the issue, and have released an update to fix it.
NAS Ransomware
QNAP has announced an update to protect against the AgeLocker ransomware. The details are sparse, but it appears that there was a vulnerability in the Photo Station app. Bleeping Computer has a few additional details. As damaging as the encryption is, at least one report includes data theft, as well. AgeLocker can also affect Linux and MacOS devices.
MP3Gain’s Loss
The good folks at VDA Labs have a thing for fuzzing, and recently, they turned their attention toward MP3Gain, an open source MP3 normalizer. Using the Mayhem engine, they found a handful of crashes, and discovered one that could lead to code execution. The crash is the result of a malformed mp3 file, and not enough validation while loading the file.
While MP3Gain probably isn’t the most likely attack vector, it isn’t hard to imagine a scenario where it could be used. As far as I see, an updated release hasn’t been made to address this issue yet. Enough information is out there, that an attacker could potentially build a working exploit, so if you use MP3Gain, be extra cautious until the update is available.
Threading The NAT Needle
Network Address Translation (NAT) is a blessing and a curse. It has given us several years of breathing room for IPv4, and managed to give everyone a sane firewall setup by default. On the other hand, peer to peer connections and UDP packets can be particularly hard to push through a NAT router. This is an issue for torrents, SIP phone calls, and VPN solutions like OpenVPN and Wireguard. There have been various solutions over the years, like a STUN server for SIP, and UPnP to automate temporary port forwards.
Tailscale is a commercial company providing a mesh VPN service using Wireguard, and they recently published an in-depth guide about their techniques to navigate NAT firewalls. It’s pretty much all you ever wanted to know about the subject, so give it a read, or just make a mental note that it’s there for the next time you find yourself facing a tricky NAT firewall problem.
What I’ve wondered about these game anti cheating systems is if there could be a way to run a mirror of the game on another computer on your LAN, reading the state of the game on the computer you’re playing on, while sending nothing back? Then you could run hacks on the mirror and watch its monitor to see things like wallhacks.
This isn’t trivial. It’s likely that if you were willing to do this amount of work, you’d find easier ways to circumvent cheat detection.
However, wall hacks are probably easily detected by looking for behaviour where players (more than average) target near an enemy player who is behind a wall. You don’t need to see their screen to know that behaviour is suspicious.
It’s a bit like casinos – if the players’ behaviour or results are suspicious, you don’t need to know precisely how they’re doing it, just boot them.
That’s what I’m used to seeing in-game. Most of the time it’s coupled with an aimbot to land a perfect headshot if it weren’t for the wall in the way. And cheaters usually can’t help themselves so end up being obvious anyway.
A player who is very bad till they get hands on a sniper rifle then headshots the whole enemy team in 2 seconds is a dead giveaway. (No pun intended.)
With MP3Gain, one might look to see if the same malformed MP3 file could affect other players (and devices). Considering the amount of “shared code” that exists in the open source supply chain as well as copy pasta, the problem might not be limited to a single app.