From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 5 Apr 2005 09:40:08 +0200
Subject: [NEWS] Quake 3 Engine Buffer Overflow
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050405105500.CD7FB57BA@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Quake 3 Engine Buffer Overflow
------------------------------------------------------------------------
SUMMARY
The <http://www.idsoftware.com>; Quake 3 engine "is the well known game
engine developed by ID Software and is used by many games".
Some of the games that are using the Quake 3 engine are Soldier of
Fortune, Call of Duty and Jedi Academy . These Quake 3 engine based games
are vulnerable to a buffer overflow in the message sending function that
may disconnect users from the game, crash the server or the client and
also to execute an arbitrary code using this vulnerability.
DETAILS
Vulnerable Systems:
* Call of Duty version 1.5 and prior
* Call of Duty: United Offensive version 1.5.1 and prior
* Return to Castle Wolfenstein version 1.41 and prior
* Soldier of Fortune II: Double Helix version 1.03 and prior
* Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior
* Star Wars Jedi Knight: Jedi Academy version 1.0.1.0 and prior
* Wolfenstein: Enemy Territory version 2.56 and prior
* Other games may be vulnerable as well
The problem is how the engine handles commands longer than 1022
characters, in fact they are automatically truncated at that size and the
rest of the characters are handled as network data causing the engine to
get confused.
If an attacker joins a server and sends a too big message any client in
the server will automatically disconnect showing the
"CL_ParseServerMessage: Illegible server message" error.
Proof of Concept:
* Download the following file:
<http://aluigi.altervista.org/poc/q3msgboom.cfg>;
http://aluigi.altervista.org/poc/q3msgboom.cfg.
* Place it in the base folder of your game (like baseq3, etmain, main,
base and so on).
* Start a client and a server or, if possible, more clients to test
better the effects of the bug.
* Join the server.
* Go into the console of a client (~ key or shift + ~).
* Type: /exec q3msgboom.
* Any client in the server will disconnect immediately.
If nothing happens or the vsay command is not supported, modify the
q3msgboom.cfg file using other commands like say or vsay_team.
Jedi Knight II needs that the script is executed some times before seeing
the effects.
Vendor Status:
Currently only Enemy Territory 2.60 has been fixed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org.> Luigi
Auriemma.
The original advisory can be found at:
<http://aluigi.altervista.org/adv/q3msgboom-adv.txt>;
http://aluigi.altervista.org/adv/q3msgboom-adv.txt.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
