Hello,
Quake 3 is a popular online first person shooter developed by IDsoftware [1]
that has been released in 1999 and is still widely played.
Additionally, a lot of vendors have licensed the Quake3 engine for their
games.
A few noteworthy examples include:
========================================
Issue #1:
This bug is also known as the "remapShader" bug discovered by landser who
recently published a PoC opening a remote shell on vulnerable Linux clients at
milw0rm.com [2]
details
The COM_StripExtension routine copies a given filename chopping the suffix
into another given buffer without checking the length of that buffer.
R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64
bytes length for the copy.
Servers can make the client execute R_RemapShader() by sending a "remapShader"
command with too long arguments that will result in an overflowed buffer.
affected OS
All operating systems suffer from the bug.
affected games
Games using the quake3 engine that accept the remapShader command in the cgame
code and use an otherwise unmodified COM_StripExtension().
Vulnerable are:
With a high probability vulnerable:
Not vulnerable:
This list can not be considered complete. These are the only games where I
have done some checking or where I know they have this bug.
Probably not vulnerable are games that are based off an older version of the
Quake3 engine where the remapShader command didn't exist in the original
cgame code (like EliteForce).
workaround *
There is no known workaround except playing on trusted servers.
patches *
ID has released fixed binaries, but more on that later.
========================================
Issue #2:
This bug was discovered by Ludwig Nussel and myself and was not publically
disclosed until now.
CVE-2006-2082 [3] is reserved for this bug.
details *
Players connecting to servers that are using .pk3 files not available on the
client have the possibility to download the missing files from the server if
that server allows it.
The client then explicitly requests a filename to download. Unfortunately, the
server does no checking of the filename at all allowing modified clients to
download any files via directory traversal like
"…/…/…/…/…/…/…/etc/passwd"
with the rights of the user the server runs under.
affected OS *
All operating systems are affected
affected games *
As long as game developers haven't heavily modified that part of the server
code, it is safe to say that most of Quake3 engine based games are
vulnerable. To test all available games is beyond my resources, but I can say
with certainty that these games are affected:
IDsoftware has confirmed that games using the Doom3 engine are not vulnerable
to this particular bug.
IDsoftware has released new packages containing builds that fix both issues
for these games:
Check out idsoftware's news page [1] and their ftp server [4].
You can also check out the icculus.org/quake3 project [5] that has both issues
fixed in the latest SVN repository [6] (rev. 777 as of this writing). Updated
binaries will be released soon.
Thanks to…
… landser and the milw0rm people to make the remapShader bug public.
… Ludwig for coordinating disclosure and having the idea about bug #2 in
the first place.
… the other guys at icculus.org (zakk, timbo, ryan to name a few) for having
come so far with debugging/cleaning up/porting the original 1.32b source
release for various platforms.
… Timothee Besset and the guys at idsoftware to still release fixed builds
for a more than 6 years old game (which is important because of Punkbuster
support).
[1] http://www.idsoftware.com
[2] http://milw0rm.com/exploits/1750
[3] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082
[4] ftp://ftp.idsoftware.com/idstuff/
[5] http://icculus.org/quake3/
[6] http://svn.icculus.org/quake3/trunk/
–
Thilo Schulz
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/