Thilo Schulz
10/05/06, 00:00
Hello,
Quake 3 is a popular online first person shooter developed by IDsoftware [1]
that has been released in 1999 and is still widely played.
Additionally, a lot of vendors have licensed the Quake3 engine for their
games.
A few noteworthy examples include:
- The "Medal of Honour: Allied Assault" series
- Star Trek Voyager Elite Force
- Star Wars: Jedi Knight II: Jedi Outcast
- Return to Castle Wolfenstein
========================================
Issue #1:
Remotely exploitable COM_StripExtension buffer overflow in client allows
execution of arbitrary code.
========================================
This bug is also known as the "remapShader" bug discovered by landser who
recently published a PoC opening a remote shell on vulnerable Linux clients at
milw0rm.com [2]
* details
The COM_StripExtension routine copies a given filename chopping the suffix
into another given buffer without checking the length of that buffer.
R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64
bytes length for the copy.
Servers can make the client execute R_RemapShader() by sending a "remapShader"
command with too long arguments that will result in an overflowed buffer.
* affected OS
All operating systems suffer from the bug.
* affected games
Games using the quake3 engine that accept the remapShader command in the cgame
code and use an otherwise unmodified COM_StripExtension().
Vulnerable are:
- Quake3 Arena / Team Arena point release 1.32b
- Return to Castle Wolfenstein 1.41
- Wolfenstein: Enemy Territory 2.60
With a high probability vulnerable:
- Star Wars: Jedi Knight 2 / 3
Not vulnerable:
- Star Trek Voyager: Elite Force
This list can *not* be considered complete. These are the only games where I
have done some checking or where I know they have this bug.
Probably not vulnerable are games that are based off an older version of the
Quake3 engine where the remapShader command didn't exist in the original
cgame code (like EliteForce).
* workaround *
There is no known workaround except playing on trusted servers.
* patches *
ID has released fixed binaries, but more on that later.
========================================
Issue #2:
Download of arbitrary files from servers that use setting sv_allowdownload 1
========================================
This bug was discovered by Ludwig Nussel and myself and was not publically
disclosed until now.
CVE-2006-2082 [3] is reserved for this bug.
* details *
Players connecting to servers that are using .pk3 files not available on the
client have the possibility to download the missing files from the server if
that server allows it.
The client then explicitly requests a filename to download. Unfortunately, the
server does no checking of the filename at all allowing modified clients to
download any files via directory traversal like
"../../../../../../../etc/passwd"
with the rights of the user the server runs under.
* affected OS *
All operating systems are affected
* affected games *
As long as game developers haven't heavily modified that part of the server
code, it is safe to say that most of Quake3 engine based games are
vulnerable. To test all available games is beyond my resources, but I can say
with certainty that these games are affected:
- Quake3 Arena / Team Arena
- Return to Castle Wolfenstein
- Wolfenstein: Enemy Territory (note: the URL referral downloading method is
not affected.)
- Star Trek Voyager: Elite Force
IDsoftware has confirmed that games using the Doom3 engine are not vulnerable
to this particular bug.
* workaround *
Set the sv_allowdownload cvar to 0 on your server which prohibits downloading
of any files.
========================================
Patches:
========================================
IDsoftware has released new packages containing builds that fix both issues
for these games:
- Quake3 Arena / Team Arena
- Return to Castle Wolfenstein
- Wolfenstein: Enemy Territory
Check out idsoftware's news page [1] and their ftp server [4].
You can also check out the icculus.org/quake3 project [5] that has both issues
fixed in the latest SVN repository [6] (rev. 777 as of this writing). Updated
binaries will be released soon.
========================================
Acknowledgements
========================================
Thanks to..
.... landser and the milw0rm people to make the remapShader bug public.
.... Ludwig for coordinating disclosure and having the idea about bug #2 in
the first place.
.... the other guys at icculus.org (zakk, timbo, ryan to name a few) for having
come so far with debugging/cleaning up/porting the original 1.32b source
release for various platforms.
.... Timothee Besset and the guys at idsoftware to still release fixed builds
for a more than 6 years old game (which is important because of Punkbuster
support).
========================================
Links
========================================
[1] http://www.idsoftware.com
[2] http://milw0rm.com/exploits/1750
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082
[4] ftp://ftp.idsoftware.com/idstuff/
[5] http://icculus.org/quake3/
[6] http://svn.icculus.org/quake3/trunk/
--
Thilo Schulz
Quake 3 is a popular online first person shooter developed by IDsoftware [1]
that has been released in 1999 and is still widely played.
Additionally, a lot of vendors have licensed the Quake3 engine for their
games.
A few noteworthy examples include:
- The "Medal of Honour: Allied Assault" series
- Star Trek Voyager Elite Force
- Star Wars: Jedi Knight II: Jedi Outcast
- Return to Castle Wolfenstein
========================================
Issue #1:
Remotely exploitable COM_StripExtension buffer overflow in client allows
execution of arbitrary code.
========================================
This bug is also known as the "remapShader" bug discovered by landser who
recently published a PoC opening a remote shell on vulnerable Linux clients at
milw0rm.com [2]
* details
The COM_StripExtension routine copies a given filename chopping the suffix
into another given buffer without checking the length of that buffer.
R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64
bytes length for the copy.
Servers can make the client execute R_RemapShader() by sending a "remapShader"
command with too long arguments that will result in an overflowed buffer.
* affected OS
All operating systems suffer from the bug.
* affected games
Games using the quake3 engine that accept the remapShader command in the cgame
code and use an otherwise unmodified COM_StripExtension().
Vulnerable are:
- Quake3 Arena / Team Arena point release 1.32b
- Return to Castle Wolfenstein 1.41
- Wolfenstein: Enemy Territory 2.60
With a high probability vulnerable:
- Star Wars: Jedi Knight 2 / 3
Not vulnerable:
- Star Trek Voyager: Elite Force
This list can *not* be considered complete. These are the only games where I
have done some checking or where I know they have this bug.
Probably not vulnerable are games that are based off an older version of the
Quake3 engine where the remapShader command didn't exist in the original
cgame code (like EliteForce).
* workaround *
There is no known workaround except playing on trusted servers.
* patches *
ID has released fixed binaries, but more on that later.
========================================
Issue #2:
Download of arbitrary files from servers that use setting sv_allowdownload 1
========================================
This bug was discovered by Ludwig Nussel and myself and was not publically
disclosed until now.
CVE-2006-2082 [3] is reserved for this bug.
* details *
Players connecting to servers that are using .pk3 files not available on the
client have the possibility to download the missing files from the server if
that server allows it.
The client then explicitly requests a filename to download. Unfortunately, the
server does no checking of the filename at all allowing modified clients to
download any files via directory traversal like
"../../../../../../../etc/passwd"
with the rights of the user the server runs under.
* affected OS *
All operating systems are affected
* affected games *
As long as game developers haven't heavily modified that part of the server
code, it is safe to say that most of Quake3 engine based games are
vulnerable. To test all available games is beyond my resources, but I can say
with certainty that these games are affected:
- Quake3 Arena / Team Arena
- Return to Castle Wolfenstein
- Wolfenstein: Enemy Territory (note: the URL referral downloading method is
not affected.)
- Star Trek Voyager: Elite Force
IDsoftware has confirmed that games using the Doom3 engine are not vulnerable
to this particular bug.
* workaround *
Set the sv_allowdownload cvar to 0 on your server which prohibits downloading
of any files.
========================================
Patches:
========================================
IDsoftware has released new packages containing builds that fix both issues
for these games:
- Quake3 Arena / Team Arena
- Return to Castle Wolfenstein
- Wolfenstein: Enemy Territory
Check out idsoftware's news page [1] and their ftp server [4].
You can also check out the icculus.org/quake3 project [5] that has both issues
fixed in the latest SVN repository [6] (rev. 777 as of this writing). Updated
binaries will be released soon.
========================================
Acknowledgements
========================================
Thanks to..
.... landser and the milw0rm people to make the remapShader bug public.
.... Ludwig for coordinating disclosure and having the idea about bug #2 in
the first place.
.... the other guys at icculus.org (zakk, timbo, ryan to name a few) for having
come so far with debugging/cleaning up/porting the original 1.32b source
release for various platforms.
.... Timothee Besset and the guys at idsoftware to still release fixed builds
for a more than 6 years old game (which is important because of Punkbuster
support).
========================================
Links
========================================
[1] http://www.idsoftware.com
[2] http://milw0rm.com/exploits/1750
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082
[4] ftp://ftp.idsoftware.com/idstuff/
[5] http://icculus.org/quake3/
[6] http://svn.icculus.org/quake3/trunk/
--
Thilo Schulz