what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Internet Security Systems Security Advisory May 3, 2000

Internet Security Systems Security Advisory May 3, 2000
Posted May 3, 2000
Site xforce.iss.net

Internet Security Systems (ISS) has identified a vulnerability in id Software's Quake3Arena that could allow an attacker to read or write files on a computer that has the software installed. This vulnerability is important to network administrators who may be unaware that users are accessing potentially malicious Quake3Arena servers outside their network.

SHA-256 | 8a4d017e58a2be864d22ccf98c21f702854bcc48268c04bd1317160450a209b9

Internet Security Systems Security Advisory May 3, 2000

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----

Internet Security Systems Security Advisory
May 3, 2000

Vulnerability in Quake3Arena Auto-Download Feature

Synopsis:

Internet Security Systems (ISS) has identified a vulnerability in id
Software's Quake3Arena that could allow an attacker to read or write files
on a computer that has the software installed. This vulnerability is
important to network administrators who may be unaware that users are
accessing potentially malicious Quake3Arena servers outside their network.

The environment for Quake3Arena allows client-side modification to read and
write files for purposes such as configuration. Modifications run in a
protected environment similar to the Java virtual machine but proprietary to
id Software. The file access routines in this environment are limited to
files installed in the directory where the modification is installed.
Modifications are located in subdirectories under the Quake3Arena
installation directory. It is possible to open files in directories above
the modifications directory allowing an attacker to open any file on the
same drive.

Combining the ability to access files with the automatic download feature
that was added to Quake3Arena in the 1.16 update on March 15, 2000, this
vulnerability could be used by an attacker to execute malicious code on any
system that connects to a Quake3Arena server.

Impact:

This vulnerability allows an attacker to have read or write access to a
Quake3Arena user's filesystem when the user connects to a server run by the
attacker. This could allow attackers to install Trojan horse programs,
gather passwords, and read or write files.

Affected Versions:

Quake3Arena version 1.16 for Windows allows read or write access to files
and allows code to be automatically downloaded to the user's system for the
purpose of manipulating files.

Description:

A programming Software Developers Kit (SDK) for Quake3Arena is supplied by
id Software along with source code to a major portion of the program logic.
The SDK is intended to encourage the development of modifications and
enhancements to the program.

Within the source code for the client side portion of the program, a number
of predefined functions can be called by game modifications. A majority of
these functions manipulate data within the game itself and pose no danger to
the system on which the software is running.

However, four of these functions allow read or write access to the
filesystem. The read functions can read files stored on the filesystem as
well as data compressed within the PKZIP-compatible .PK3 files. The write
functions only write to files directly on the filesystem. Opening files
requires a relative path, resulting in access only to files that reside in
the subdirectory where the modification has been installed or packed inside
the .PK3 files of that directory.

The routines used to open files do not remove ".." from file specifications
before the file is opened. An attempt to do so will result in the following
error message:

"WARNING: refusing to create reletive path "C:\etc\etc\etc"


The bug in the implementation opens the file despite the above error
message. It is possible for the end user of the product to miss the error
message since status and error messages are written to the Quake3Arena
'console', which is normally not visible within the program unless the user
presses a special key.

This bug combined with the automatic downloading feature in version 1.16
could be used to mount an attack.

Recommendations:

Operators of Quake3Arena servers are not vulnerable to attack. However,
before installing a modification and enabling automatic downloading on a
server, the server administrator should verify the source of the
modification to be sure a Trojan horse program has not been installed.

Users of Quake3Arena should disable the auto download feature to prevent
this attack. This is done by choosing SETUP from the main menu, followed by
GAME OPTIONS. On the list that appears, make sure "Automatic Downloading" is
set to OFF. If Automatic Downloading is turned on, you will be warned as
files are downloaded to your system.

If a user chooses to manually install game modifications to the client,
carefully check the modifications for Trojan horse programs. If the
modification includes any .QVM files in the package, it could be used to
mount an attack as described in this advisory. Any Quake3Arena modification
which uses .DLL files should be examined carefully before installation.
These modifications do not have the same security safeguards as the virtual
environment. Also, be aware that the .PK3 files that are often distributed
are PKZIP format files, and could contain within them trojaned .QVM files.
Use a PKZIP compatible utility to examine any .PK3 files you receive as part
of a Quake3Arena modification.

Network administrators who wish to prevent Quake3Arena users from accessing
potentially malicious servers outside their network may do so with firewall
rules. Quake3Arena servers normally operate on UDP port 27960, but can be
configured to run on other port numbers. Since port 27960 is not
exclusively registered for the use of Quake3Arena, blocking this port might
affect other applications that could arbitrarily choose this port number.

Another approach would be to block outbound access to the following specific
address from your network via UDP:

authorize.quake3arena.com:27952

Currently this address resolves to 192.246.40.56:27952, but it could be
spread across multiple IP addresses in the future.

This address is used for authentication/copy protection features within
Quake3Arena. Clients who cannot send and receive packets to this address
over the Internet will not be able to access Internet-based Quake3Arena
servers.

It is recommended by id Software that all server operators and end users
upgrade to the 1.17 point release as soon as possible. The 1.17 point
release is available at:
http://www.quake3arena.com/
http://www.planetquake.com/
http://www.quake3world.com/

The network protocol was upgraded from prior versions to help facilitate a
rapid transition to the new code base. This means that 1.17 will not
communicate with prior versions of Quake3Arena.

Credits:

This vulnerability was researched and discovered by Tim Farley of the ISS
X-Force. ISS would like to thank id Software for their response and handling
of this vulnerability.

_____

About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and strategic
consulting and education offerings, ISS is a trusted security provider to
its customers, protecting digital assets and ensuring safe and uninterrupted
e-business. ISS' security management solutions protect more than 5,500
customers worldwide including 21 of the 25 largest U.S. commercial banks, 10
of the largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe, Latin America and the Middle East. For more information,
visit the Internet Security Systems web site at www.iss.net or call
888-901-7477.

Copyright (c) 2000 Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent of
the X-Force. If you wish to reprint the whole or any part of this Alert in
any other medium excluding electronic medium, please e-mail xforce@iss.net
for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well
as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force (xforce@iss.net)
of Internet Security Systems, Inc.

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close