PunkBuster solution ended up punk’d by two reverse engineers who took an interest in the cheat-busting system

Researchers have disclosed a remote code execution (RCE) flaw impacting Battlefield and Medal of Honor servers that harnesses PunkBuster anti-cheat software.

Even Balance’s PunkBuster has been integrated into dozens of video game titles and numerous game engines to detect suspicious gamer activity.

The company has been active in this field for over 15 years and says that millions of players have been monitored, and “hundreds of thousands” of cheats have been caught – but over time, the popularity of the service waned.

Path to pwnage

On September 25, Palo Alto Networks senior security researcher Daniel Prizmant and computer science student Mauricio Sandt disclosed that the firm’s software harbored a severe security issue.

The path traversal vulnerability could be exploited by attackers – or, perhaps, disgruntled cheaters – to hijack servers and perform RCE attacks.

The duo, both avid Battlefield gamers, said in a Medium blog post that after replaying Battlefield 4, they found close to 1,000 active PunkBuster-protected servers. This inspired them to begin a “cool side project to take a look at the internals of Punkbuster and fundamentally understand how it works”.

What Prizmant and Sandt found was an issue “practically” considered a remote code execution flaw.


Read more of the latest security vulnerability news


PunkBuster’s client and server-side architectures work as modules. Both will load the main system module that exports two functions designed to handle events for both sides.

A feature exists in which users can request screenshots from game clients. When a screenshot is asked for, the server tells the client the file_id for the screenshot. However, the client will reply with the screenshot’s name.

In itself, this would not be an issue if the software handled malicious requests properly, which PunkBuster did not when handling image files other than .png files.

Suppose an attacker responds with a file that is not a png file. They can circumvent all of PunkBuster’s protections and write a file anywhere they wish on the host server, thereby compromising the entire game server’s host environment.

‘Heavily obfuscated’

“As an attacker you don’t actually need to wait for the server to ask for a screenshot and can just send the relevant data as it was requested and it will still be received on the server,” Prizmant says. “Exploiting this vulnerability might not be that easy, as the client side, which is the part needed to actually achieve that, is heavily obfuscated.”

After being made aware of the security hole, PunkBuster resolved the issue in server software version 1.905. The researchers have chosen not to release exploit code as some servers have not yet been updated.

“Server administrators running a PB Server version prior to version 1.905 for any game should disable PunkBuster on their game server(s),” Even Balance said. “Thanks to Daniel Prizmant at Palo Alto Networks for discovering the flaw and reporting it to us in a professional manner.”

The research comes on the heels of a new study from Akamai that indicates a rise in DDoS attacks leveraged against game developers and their players over lockdown periods imposed due to COVID-19.

While vendors were subject to an influx of SQL injection (SQLi) and Local File Inclusion (LFI) attacks for data theft purposes, consumers faced an increase in phishing and credential stuffing attacks.


RECOMMENDED Gamers fragged by surge in credential stuffing attacks during lockdown