This Week in Security: PunkBuster, NAT, NAS and MP3s

Ah, the ever-present PDF, and our love-hate relationship with the format. We’ve lost count of how many vulnerabilities have been fixed in PDF software, but it’s been a bunch over the years. This week, we’re reminded that Adobe isn’t the only player in PDF-land, as Foxit released a round of updates, and there were a couple serious problems fixed. Among the vulnerabilities, a handful could lead to RCE, so if you use or support Foxit users, be sure to go get them updated.

PunkBuster

Remember PunkBuster? It’s one of the original anti-cheat solutions, from way back in 2000. The now-classic Return to Castle Wolfenstein was the first game to support PunkBuster to prevent cheating. It’s not the latest or greatest, but PunkBuster is still running on a bunch of game servers even today. [Daniel Prizmant] and [Mauricio Sandt] decided to do a deep dive project on PunkBuster, and happened to find an arbitrary file-write vulnerability, that could easily compromise a PB enabled server.

One of the functions of PunkBuster is a remote screenshot capture. If a server admin thinks a player is behaving strangely, a screenshot request is sent. I assume this targets so-called wallhack cheats — making textures transparent, so the player can see through walls. The problem is that the server logic that handles the incoming image has a loophole. If the filename ends in .png as expected, some traversal attack checks are done, and the png file is saved to the server. However, if the incoming file isn’t a png, no transversal detection is done, and the file is naively written to disk. This weakness, combined with the stateless nature of screenshot requests, means that any connected client can write any file to any location on the server at any time. To their credit, even Balance, the creators of PunkBuster, quickly acknowledged the issue, and have released an update to fix it.

NAS Ransomware

QNAP has announced an update to protect against the AgeLocker ransomware. The details are sparse, but it appears that there was a vulnerability in the Photo Station app. Bleeping Computer has a few additional details. As damaging as the encryption is, at least one report includes data theft, as well. AgeLocker can also affect Linux and MacOS devices.

MP3Gain’s Loss

The good folks at VDA Labs have a thing for fuzzing, and recently, they turned their attention toward MP3Gain, an open source MP3 normalizer. Using the Mayhem engine, they found a handful of crashes, and discovered one that could lead to code execution. The crash is the result of a malformed mp3 file, and not enough validation while loading the file.

While MP3Gain probably isn’t the most likely attack vector, it isn’t hard to imagine a scenario where it could be used. As far as I see, an updated release hasn’t been made to address this issue yet. Enough information is out there, that an attacker could potentially build a working exploit, so if you use MP3Gain, be extra cautious until the update is available.

Threading The NAT Needle

Network Address Translation (NAT) is a blessing and a curse. It has given us several years of breathing room for IPv4, and managed to give everyone a sane firewall setup by default. On the other hand, peer to peer connections and UDP packets can be particularly hard to push through a NAT router. This is an issue for torrents, SIP phone calls, and VPN solutions like OpenVPN and Wireguard. There have been various solutions over the years, like a STUN server for SIP, and UPnP to automate temporary port forwards.

Tailscale is a commercial company providing a mesh VPN service using Wireguard, and they recently published an in-depth guide about their techniques to navigate NAT firewalls. It’s pretty much all you ever wanted to know about the subject, so give it a read, or just make a mental note that it’s there for the next time you find yourself facing a tricky NAT firewall problem.