Quake II Has Multiple Bugs That Let Remote Users Obtain Information, Deny Service, and Possibly Execute Arbitrary Code
SecurityTracker Alert ID: 1011979|
SecurityTracker URL: http://securitytracker.com/id/1011979
(Links to External Site)
Date: Oct 28 2004
Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network|
Exploit Included: Yes |
Several vulnerabilities were reported in the Quake II server software. A remote user can obtain potentially sensitive information, cause the target service to crash, or potentially execute arbitrary code.|
Richard Stanway reported that the software fails to properly validate user-supplied input in several fields.
The server does not validate the offsets in Configstrings and Baselines to ensure non-negative values. A remote user can specify a negative value to cause the service to crash.
A buffer overflow exists in the processing of received packet arguments. A remote user can supply a specially crafted argument to trigger the overflow.
On Windows-based servers, a remote user can exploit an input validation flaw in the download command to obtain some files from the system. A demonstration exploit command to retrieve the 'server.cfg' file from the 'mod' directory is provided:
It is also reported that a remote user can specify a specially crafted path for the download command to cause the target service to crash when attempting to open the specified directory. A demonstration exploit is provided:
It is also reported that a remote user may be able to avoid server bans by sending a specially crafted userinfo string ('ip' value) that is large enough to be truncated when processed by the target mod.
A remote user can send an invalid disconnect command and then reconnect to cause the server to allocate a slot that is already in use by another client. This will cause the client state data to be overwritten, which may adversely affect the server.
It is reported that some of the above listed flaws may affected the underlying Quake II engine, used by various 3rd party games including Anachronox, Daikatana, Heretic II, Kingpin: Life of Crime, Soldier of Fortune, and Sin.
Users of the QuakeSrc.org message boards are credited with reporting some of these flaws.
The original advisory is available at:
A remote user can obtain potentially sensitive configuration information.|
A remote user ca cause the target service to crash.
A remote user may be able to execute arbitrary code on the target server [however, code execution was not confirmed in the report].
No solution was available at the time of this entry.|
The author of the report has issued an unofficial fix, available at:
Vendor URL: www.idsoftware.com/ (Links to External Site)
Access control error, Boundary error, Input validation error, State error|
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
Source Message Contents
Subject: Multiple Vulnerabilites in Quake II Server|
Multiple Vulnerabilites in Quake II Server
Product: Quake II
Version: Tested on 3.2x, likely all
Vendor: iD Software (http://www.idsoftware.com/)
Risk: High (possible remote code execution)
Quake II is a multiplayer game featuring around 750 active servers
online. Quake II was open sourced in December 2001 and many
modifications have since been made.
As the Quake II engine is available for commercial licensing, some of
these issues may affect other games based on the Quake II engine,
including (but not limited to):
* Heretic II
* Kingpin: Life of Crime
* Soldier of Fortune
Due to unchecked input at various stages in the server, remote users are
able to cause the server to crash, reveal sensitive information or
potentially execute arbitrary code.
Problem #1 - Array bounds error
During the processing of Configstrings and Baselines used during the
connection process, the Quake II client is expected to send the offset
of the array it wants to receive. However, no checking is done to
ensure that this offset is not negative, resulting in an access
violation when the server attempts to read this memory.
Problem #2 - Buffer overflow when parsing packets
Upon receiving a command packet, the server will attempt to split it
into chunks such as cmd_args (everything after the function name), and
generating an array called cmd_argv so that functions can easily
access parameters of the command. The buffer designed to hold cmd_args
is only 1024 bytes while the maximum packet size is in the 1400+ bytes
range. No checks are made to verify the string length before it is
copied into the cmd_args buffer, resulting in a buffer overflow.
Depending on the system architecture exploitation may be possible, but
is limited by the fact that cmd_args resides in the data section of the
executable. A typical overflow will corrupt the cmd_functions pointer,
causing execution of further commands to crash the server. This attack
can be performed without having to connect to the Quake II server and
requires only a single UDP packet which may allow for source address
Problem #3 - Win32 server auto downloading allows leak
of sensitive files
Quake II allows users to download content from the server that they need
to play, such as custom maps. However the server does not perform enough
verification on the path supplied by the client for downloading. Due to
the nature of Win32 paths, it is possible to specify for example,
"download \/server.cfg" as a command which will result in the server
sending the file server.cfg from the mod directory which would not
normally be allowed.
Problem #4 - Linux server auto downloading DoS
Linux behaves differently to Win32 when a file open operation is
attempted on a directory. Due to insufficient checking of the path, it
is possible to send a command such as "download /maps/" which will
result in the server opening the maps directory and subsequently
shutting down when it cannot read data from it.
Problem #5 - Fake clients DoS
Due to high timeout values and no limit of connections from a single IP,
it is possible to cause the Quake II server to refuse legitimate
connections by filling it with "fake" clients. Only 2 UDP packets need
to be sent to initiate a connection, which will then occupy a player
slot and take up to 2 minutes by default to time out. As no limiting per
IP is done, a single 56k modem user could easily occupy 40+ client slots
using this method.
Problem #6 - IP Spoofing
The Quake II client constructs a string known as the userinfo that
contains key/value pairs of important settings, such as the player
name, skin, etc. When the server reads the client's userinfo it
inserts a new key/value pair called "ip" with the client's IP address
to allow mods to see the client IP when they look at the userinfo.
It is possible to construct a client userinfo string large enough so
that a key/value pair will be truncated. By then inserting a key
called "ip", it is possible to trick a mod into reading the wrong
IP from the userinfo. Since it is the responsibility of mods to ban
users from the server, a malicious user can evade any bans on the
Problem #7 - Damage of client state structure
By not properly issuing a disconnect command, a client can remain
connected to a server even after supposedly disconnecting. When the
client reconnects, the server will try to find a slot that was
previously allocated to that client and re-use it. However no check
is done to ensure that this slot is truly no longer in use, resulting
in overwriting of any old client state without notifying the mod
which can result in client cleanup code not running and inconsistent
player counts amongst other mod-specific issues.
Problem #8 - Local buffer overflows
A number of functions designed to be executed from the server console or
rcon do not properly check buffer sizes, resulting in a crash. However
since these can only be exploited from someone with direct access to the
server, they are a low threat.
I would also like to remind server admins that the original version of
the Quake II server (still in use by approximately 260 servers according
to the All-Seeing Eye) has even larger risks as it is trivial to steal
the rcon password and perform actions as if you were at the server
console, including browsing of the host system directory structure.
As the product is now open source, it is not expected that the vendor
will release any official updates. Previous vulnerabilities in Quake II
have not warranted any vendor response.
Disabling auto downloading (allow_download 0) will mitigate some
threats, but most of the issues listed cannot be worked around.
It is strongly recommended that any Quake II server operators use an
updated Quake II binary to fix these issues. At present, the
only known client/server modification which contains fixes for all
these issues is R1Q2, available at http://www.r1ch.net/stuff/r1q2/
Thanks to posters on the QuakeSrc.org message boards for bringing some
of these issues to light.
Go to the Top of This SecurityTracker Archive Page