Quake3 engine autodownload issues.

From: Thilo Schulz (arny@ats.s.bawue.de)
Date: 02/04/03

  • Next message: Brian Hatch: "Re: Putting the "NSA Data Overwrite Standard" Legend to Death..."
    From: Thilo Schulz <arny@ats.s.bawue.de>
    To: bugtraq@securityfocus.com
    Date: Tue, 4 Feb 2003 11:49:40 +0100


    The Quake3 Engine's feature for automatically downloading modifications from
    the server to the client bears great potential of abuse and could even lead
    to execution of arbitrary code. Because this is quake3 engine related many
    games aside from quake3 suffer from the same problem as well.

    First a few lines to explain the background:
    In Quake3 engine games (at least those who haven't been modified too heavily
    by the developer who came to license the engine) all game data files, maps,
    textures, models, sounds etc. are contained by to .pk3 suffixed
    ZIP-compressed archives.
    Modifications as well, with files for the virtual machine that determines the
    bahaviour of the engine.
    If a player joins this server, the server requests checksums for various
    .pk3's that are in use on the server and of the game itself from the client,
    to validate that the client has not messed around with certain files to
    enable the possibility of cheating (Aimbots for example).
    On the other hand, if the server is right now playing a map and the client
    connecting to the server does not have this map, this client starts, if all
    permissions are set to default, automatically downloading the .pk3 file that
    contains the map files with its textures and all it needs to play this map.
    The same goes for modifications. In order to allow automatically downloading,
    the server and the client need to have the variable cl_allowdownload set to
    1. This is the default in most games.

    So here we are at the first possibility of abuse:

    The Server administrator can load modifications on his server, that are very
    small in file size. When the client connects to this server, it will start
    automatically downloading this modification, which will be very short due to
    small size, this is why the user is most likely to ignore it. The
    administrator may have set this mod on the server this way, that he can
    enable cheating on this server while other people can not. This possibility
    is already known and was only mentioned for the sake of completeness.

    Secondly, certain files may break the starting of the game. I have found an
    example for the game Star Trek Voyager: Elite Force, where if you download
    the .pk3 file for a multiplayer map, the single player will not start up
    anymore and lots of garbish appearing in the start-up console. Here is a link
    to the file:

    http://www.hazardteam.de/downloads-file.html?type=maps&id=104ame crash before it even started up.

    The author of this map certainly did not intend this to happen, someone with
    malicious intends is no doubtedly possible to modify the content and reduce
    the size of the file reasonably to have the same effect, depending on the

    Thirdly: We do not know which bugs lurk in the deepness of the closed source
    of the games. These games are complex - the engine needs to load the maps
    correctly and display them, also game developers add powerful script
    interpreters to make it possible to script events in single player missions.
    These bugs cannot all be found and fixed in time, the potential if a bug was
    found in one of these games would be enormous. Just think about the thousands
    of clients that have this automatical downloading enabled. The file at the
    top is an example how by a simple coincidence a way was found to make the
    game crash before it even started up.

    This is why I have written this report. The only advice I can give is not to
    make the same mistake microsoft did with its outlook and enable various
    things by default that makes it 10x easier to start any exploits without the
    user wanting to do so.
    All users should set the variable cl_allowdownload in all .cfg files in the
    quake3 directory to '0' , and not download maps / modifications from
    untrusted sources, also Game developers should disable this by default. If
    this is enabled, an unsuspecting user downloads on connect whatever the
    server administrator intends to.

    I have checked various games, obviously some game developers have already
    recognized this threat.

    Games I have found vulnerable:
    Ravensoft's Star Trek Voyager: EliteForce
    Medal of Honour: Allied Assault
    Medal of Honour: Spearhead

    The id guys seem to have done a better job, it seems that in the latest point
    release cl_allowdownload was set to '0' by default.
    I have only limited time for research, I do not doubt that alot more games
    than these (where the MOHAA has got a solid user base) have automatically
    download on by default.

    I would like to annotate, that generally the unreal tournament engine family
    also has the autodownload feature. I am not familiar with this type of
    engines, yet it bears the same potential of abuse.

     - Thilo Schulz