TUCoPS :: Games :: b06-2103.htm

Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games
Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games
Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games



Hello,

Quake 3 is a popular online first person shooter developed by IDsoftware [1] 
that has been released in 1999 and is still widely played.
Additionally, a lot of vendors have licensed the Quake3 engine for their 
games.
A few noteworthy examples include:

 - The "Medal of Honour: Allied Assault" series
 - Star Trek Voyager Elite Force
 - Star Wars: Jedi Knight II: Jedi Outcast
 - Return to Castle Wolfenstein


=======================================Issue #1:

Remotely exploitable COM_StripExtension buffer overflow in client allows 
execution of arbitrary code.
=======================================
This bug is also known as the "remapShader" bug discovered by landser who 
recently published a PoC opening a remote shell on vulnerable Linux clients at 
milw0rm.com [2]

  * details
The COM_StripExtension routine copies a given filename chopping the suffix 
into another given buffer without checking the length of that buffer.
R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64 
bytes length for the copy.
Servers can make the client execute R_RemapShader() by sending a "remapShader" 
command with too long arguments that will result in an overflowed buffer.

  * affected OS
All operating systems suffer from the bug.

  * affected games
Games using the quake3 engine that accept the remapShader command in the cgame 
code and use an otherwise unmodified COM_StripExtension().

Vulnerable are:
 - Quake3 Arena / Team Arena point release 1.32b
 - Return to Castle Wolfenstein 1.41
 - Wolfenstein: Enemy Territory 2.60

With a high probability vulnerable:
 - Star Wars: Jedi Knight 2 / 3

Not vulnerable:
 - Star Trek Voyager: Elite Force

This list can *not* be considered complete. These are the only games where I 
have done some checking or where I know they have this bug.

Probably not vulnerable are games that are based off an older version of the 
Quake3 engine where the remapShader command didn't exist in the original 
cgame code (like EliteForce).

  * workaround *
There is no known workaround except playing on trusted servers.

  * patches *
ID has released fixed binaries, but more on that later.



=======================================Issue #2:

Download of arbitrary files from servers that use setting sv_allowdownload 1
=======================================
This bug was discovered by Ludwig Nussel and myself and was not publically 
disclosed until now.
CVE-2006-2082 [3] is reserved for this bug.

  * details *
Players connecting to servers that are using .pk3 files not available on the 
client have the possibility to download the missing files from the server if 
that server allows it.
The client then explicitly requests a filename to download. Unfortunately, the 
server does no checking of the filename at all allowing modified clients to 
download any files via directory traversal like 
"../../../../../../../etc/passwd"
with the rights of the user the server runs under.

  * affected OS *
All operating systems are affected

  * affected games *
As long as game developers haven't heavily modified that part of the server 
code, it is safe to say that most of Quake3 engine based games are 
vulnerable. To test all available games is beyond my resources, but I can say 
with certainty that these games are affected:

 - Quake3 Arena / Team Arena
 - Return to Castle Wolfenstein
 - Wolfenstein: Enemy Territory (note: the URL referral downloading method is
   not affected.)
 - Star Trek Voyager: Elite Force

IDsoftware has confirmed that games using the Doom3 engine are not vulnerable 
to this particular bug.

  * workaround *
Set the sv_allowdownload cvar to 0 on your server which prohibits downloading 
of any files.


=======================================Patches:
=======================================
IDsoftware has released new packages containing builds that fix both issues 
for these games:

 - Quake3 Arena / Team Arena
 - Return to Castle Wolfenstein
 - Wolfenstein: Enemy Territory

Check out idsoftware's news page [1] and their ftp server [4].

You can also check out the icculus.org/quake3 project [5] that has both issues 
fixed in the latest SVN repository [6] (rev. 777 as of this writing). Updated 
binaries will be released soon.


=======================================Acknowledgements
=======================================
Thanks to..

... landser and the milw0rm people to make the remapShader bug public.

... Ludwig for coordinating disclosure and having the idea about bug #2 in 
the first place.

... the other guys at icculus.org (zakk, timbo, ryan to name a few) for having 
come so far with debugging/cleaning up/porting the original 1.32b source 
release for various platforms.

... Timothee Besset and the guys at idsoftware to still release fixed builds 
for a more than 6 years old game (which is important because of Punkbuster 
support).

=======================================Links
=======================================
[1] http://www.idsoftware.com 
[2] http://milw0rm.com/exploits/1750 
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082 
[4] ftp://ftp.idsoftware.com/idstuff/ 
[5] http://icculus.org/quake3/ 
[6] http://svn.icculus.org/quake3/trunk/ 

-- 
Thilo Schulz

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH