SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   Quake Vendors:   id Software, Inc.
Quake 3 Arena Server Can Be Crashed By Remote Users
SecurityTracker Alert ID:  1002118
SecurityTracker URL:  http://securitytracker.com/id/1002118
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 31 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): Quake 3 Arena 1.29f, 1.29g
Description:   A vulnerability was reported in Quake 3 Arena that allows remote users to crash the Quake server application.

The vulnerability can reportedly be triggered by a remote user initiating a connect sequence to the server's port and sending the following characters:

YYYYconnectre

The four Y's are char(255)'s.

This will reportedly cause the server process to crash. The process must be restarted for normal operation to resume.

The following command can be used to demonstrate the vulnerability:

perl -wle 'printf("%c%c%c%c%s",255,255,255,255,"connectre")' | nc -u [targethost] 27960
Impact:   A remote user can cause the Quake server process to crash.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.idsoftware.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Mon, 30 Jul 2001 18:49:09 -0400
Subject:  ADV: Quake 3 Arena 1.29f/g Vulnerability


--------------------------------------
:: Q30wnerz Advisory v1.0 - PUBLIC
::         written by ttol
--------------------------------------
:: Quake 3 Arena 1.29f/g Vulnerability
--------------------------------------

-----------
:: Summary
-----------

There exists a very large hole in Quake 3
Arena, version 1.29f and 1.29g (the latest,
1.29g which got released just under a week
ago).

The hole is not fixable in any way by
the user, and most of the servers that
are up (thousands of them) are vulnerable.
To have this hole fixed, a PR (point
release) will have to be given to the
public by iD Software.

Point Releases will show up at:
http://www.quake3world.com

--------------------
:: Affected Products
--------------------

The following versions of Quake 3 Arena are
vulnerable to this specific attack:

o Quake 3 Arena 1.29f
o Quake 3 Arena 1.29g

----------
:: Details
----------

As a result of a previous Q30wnerz-discovered
vulnerability, iD Software had to redesign the
protocol, closing up the previous vulnerability.

However, we have discovered a new one which
segment faults the servers cleanly (it gives back
the memory it had taken before, which is a lot
since Quake 3 is a memory hog).  If the server
is logging, it will segment fault before it has
a chance to append it to the log file.

The exploitation occurs when initiated a connect
sequence at the server's port, and sending the
following:

YYYYconnectre

Those four Y's with the dots on them are char(255)'s.

The server at this point will die, and will remain
down until the process has been restarted.

The Linux version for this (one server at a time):

perl -wle 'printf("%c%c%c%c%s",255,255,255,255,"connectre")' | nc -u 1.1.1.1 
27960

Replace 1.1.1.1 with the server's ip.

The Windows binary version can be downloaded at:
http://www.gamenet.nu/cheats

---------
:: Impact
---------

At this point, our proof of concept binary only
supports one server at a time.  That means it will
only allow the user to demonstrate on one server.

One can only imagine how this will carry out if
someone else took it in their hands to cull the
master list and sequentially try it (it only takes
a few nanoseconds to send the offending string).

--------------
:: Workarounds
--------------

iD Software at this point has not released a working
Point Release that prevents this.

A quick way to ensure that your server will be up
is to revert back to 1.17.

-------------------
:: Acknowledgements
-------------------

o iD Software (www.idsoftware.com) for making such a
  beautiful game.
o ttol (that's me!) for...being the ladie's man and
  also coding and perfecting this
o Coolest for discovering this initially


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC