[Full-disclosure] Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games

Type securityvulns
Reporter Securityvulns
Modified 2006-05-09T00:00:00



Quake 3 is a popular online first person shooter developed by IDsoftware [1] that has been released in 1999 and is still widely played. Additionally, a lot of vendors have licensed the Quake3 engine for their games. A few noteworthy examples include:

  • The "Medal of Honour: Allied Assault" series
  • Star Trek Voyager Elite Force
  • Star Wars: Jedi Knight II: Jedi Outcast
  • Return to Castle Wolfenstein

======================================== Issue #1:

Remotely exploitable COM_StripExtension buffer overflow in client allows execution of arbitrary code. ========================================

This bug is also known as the "remapShader" bug discovered by landser who recently published a PoC opening a remote shell on vulnerable Linux clients at milw0rm.com [2]

  • details The COM_StripExtension routine copies a given filename chopping the suffix into another given buffer without checking the length of that buffer. R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64 bytes length for the copy. Servers can make the client execute R_RemapShader() by sending a "remapShader" command with too long arguments that will result in an overflowed buffer.

  • affected OS All operating systems suffer from the bug.

  • affected games Games using the quake3 engine that accept the remapShader command in the cgame code and use an otherwise unmodified COM_StripExtension().

Vulnerable are: - Quake3 Arena / Team Arena point release 1.32b - Return to Castle Wolfenstein 1.41 - Wolfenstein: Enemy Territory 2.60

With a high probability vulnerable: - Star Wars: Jedi Knight 2 / 3

Not vulnerable: - Star Trek Voyager: Elite Force

This list can not be considered complete. These are the only games where I have done some checking or where I know they have this bug.

Probably not vulnerable are games that are based off an older version of the Quake3 engine where the remapShader command didn't exist in the original cgame code (like EliteForce).

  • workaround * There is no known workaround except playing on trusted servers.

  • patches * ID has released fixed binaries, but more on that later.

======================================== Issue #2:

Download of arbitrary files from servers that use setting sv_allowdownload 1

This bug was discovered by Ludwig Nussel and myself and was not publically disclosed until now. CVE-2006-2082 [3] is reserved for this bug.

  • details * Players connecting to servers that are using .pk3 files not available on the client have the possibility to download the missing files from the server if that server allows it. The client then explicitly requests a filename to download. Unfortunately, the server does no checking of the filename at all allowing modified clients to download any files via directory traversal like "../../../../../../../etc/passwd" with the rights of the user the server runs under.

  • affected OS * All operating systems are affected

  • affected games * As long as game developers haven't heavily modified that part of the server code, it is safe to say that most of Quake3 engine based games are vulnerable. To test all available games is beyond my resources, but I can say with certainty that these games are affected:

  • Quake3 Arena / Team Arena

  • Return to Castle Wolfenstein
  • Wolfenstein: Enemy Territory (note: the URL referral downloading method is not affected.)
  • Star Trek Voyager: Elite Force

IDsoftware has confirmed that games using the Doom3 engine are not vulnerable to this particular bug.

  • workaround * Set the sv_allowdownload cvar to 0 on your server which prohibits downloading of any files.

======================================== Patches: ========================================

IDsoftware has released new packages containing builds that fix both issues for these games:

  • Quake3 Arena / Team Arena
  • Return to Castle Wolfenstein
  • Wolfenstein: Enemy Territory

Check out idsoftware's news page [1] and their ftp server [4].

You can also check out the icculus.org/quake3 project [5] that has both issues fixed in the latest SVN repository [6] (rev. 777 as of this writing). Updated binaries will be released soon.

======================================== Acknowledgements ========================================

Thanks to..

... landser and the milw0rm people to make the remapShader bug public.

... Ludwig for coordinating disclosure and having the idea about bug #2 in the first place.

... the other guys at icculus.org (zakk, timbo, ryan to name a few) for having come so far with debugging/cleaning up/porting the original 1.32b source release for various platforms.

... Timothee Besset and the guys at idsoftware to still release fixed builds for a more than 6 years old game (which is important because of Punkbuster support).

======================================== Links ========================================

[1] http://www.idsoftware.com [2] http://milw0rm.com/exploits/1750 [3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082 [4] ftp://ftp.idsoftware.com/idstuff/ [5] http://icculus.org/quake3/ [6] http://svn.icculus.org/quake3/trunk/

-- Thilo Schulz

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/