Quake3 engine autodownload issues.

From: Thilo Schulz (arny@ats.s.bawue.de)
Date: 02/04/03

  • Next message: Brian Hatch: "Re: Putting the "NSA Data Overwrite Standard" Legend to Death..."
    From: Thilo Schulz <arny@ats.s.bawue.de>
    To: bugtraq@securityfocus.com
    Date: Tue, 4 Feb 2003 11:49:40 +0100


    The Quake3 Engine's feature for automatically downloading modifications from
    the server to the client bears great potential of abuse and could even lead
    to execution of arbitrary code. Because this is quake3 engine related many
    games aside from quake3 suffer from the same problem as well.

    First a few lines to explain the background:
    In Quake3 engine games (at least those who haven't been modified too heavily
    by the developer who came to license the engine) all game data files, maps,
    textures, models, sounds etc. are contained by to .pk3 suffixed
    ZIP-compressed archives.
    Modifications as well, with files for the virtual machine that determines the
    bahaviour of the engine.
    If a player joins this server, the server requests checksums for various
    .pk3's that are in use on the server and of the game itself from the client,
    to validate that the client has not messed around with certain files to
    enable the possibility of cheating (Aimbots for example).
    On the other hand, if the server is right now playing a map and the client
    connecting to the server does not have this map, this client starts, if all
    permissions are set to default, automatically downloading the .pk3 file that
    contains the map files with its textures and all it needs to play this map.
    The same goes for modifications. In order to allow automatically downloading,
    the server and the client need to have the variable cl_allowdownload set to
    1. This is the default in most games.

    So here we are at the first possibility of abuse:

    The Server administrator can load modifications on his server, that are very
    small in file size. When the client connects to this server, it will start
    automatically downloading this modification, which will be very short due to
    small size, this is why the user is most likely to ignore it. The
    administrator may have set this mod on the server this way, that he can
    enable cheating on this server while other people can not. This possibility
    is already known and was only mentioned for the sake of completeness.

    Secondly, certain files may break the starting of the game. I have found an
    example for the game Star Trek Voyager: Elite Force, where if you download
    the .pk3 file for a multiplayer map, the single player will not start up
    anymore and lots of garbish appearing in the start-up console. Here is a link
    to the file:

    http://www.hazardteam.de/downloads-file.html?type=maps&id=104ame crash before it even started up.

    The author of this map certainly did not intend this to happen, someone with
    malicious intends is no doubtedly possible to modify the content and reduce
    the size of the file reasonably to have the same effect, depending on the

    Thirdly: We do not know which bugs lurk in the deepness of the closed source
    of the games. These games are complex - the engine needs to load the maps
    correctly and display them, also game developers add powerful script
    interpreters to make it possible to script events in single player missions.
    These bugs cannot all be found and fixed in time, the potential if a bug was
    found in one of these games would be enormous. Just think about the thousands
    of clients that have this automatical downloading enabled. The file at the
    top is an example how by a simple coincidence a way was found to make the
    game crash before it even started up.

    This is why I have written this report. The only advice I can give is not to
    make the same mistake microsoft did with its outlook and enable various
    things by default that makes it 10x easier to start any exploits without the
    user wanting to do so.
    All users should set the variable cl_allowdownload in all .cfg files in the
    quake3 directory to '0' , and not download maps / modifications from
    untrusted sources, also Game developers should disable this by default. If
    this is enabled, an unsuspecting user downloads on connect whatever the
    server administrator intends to.

    I have checked various games, obviously some game developers have already
    recognized this threat.

    Games I have found vulnerable:
    Ravensoft's Star Trek Voyager: EliteForce
    Medal of Honour: Allied Assault
    Medal of Honour: Spearhead

    The id guys seem to have done a better job, it seems that in the latest point
    release cl_allowdownload was set to '0' by default.
    I have only limited time for research, I do not doubt that alot more games
    than these (where the MOHAA has got a solid user base) have automatically
    download on by default.

    I would like to annotate, that generally the unreal tournament engine family
    also has the autodownload feature. I am not familiar with this type of
    engines, yet it bears the same potential of abuse.

     - Thilo Schulz

    Relevant Pages

    • Re: Does anyone have any answers?
      ... board cards etc flow from server to client. ... In a game of Hold'em that we're both playing, for instance, the server obviously tells me my hole cards, tells you your hole cards, and tells us both the community cards. ... That's in stark contrast to other Internet games like first person shooters or some roleplaying games, where the clients _do_ have that private information and have to decide what to do with it. ...
    • Re: MyChess Database
      ... Sure but the client must send some kind of message `give me these ... games' to the server and the server must respond by sending the games ... It's a trivial protocol but it's still a protocol. ...
    • Re: What doesnt lend itself to OO?
      ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
    • Re: More Get-IPlayer Questions
      ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
    • This is going straight to the pool room
      ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...