Multiple Vulnerabilites in Quake II Server ========================================== Product: Quake II Version: Tested on 3.2x, likely all Vendor: iD Software (http://www.idsoftware.com/) Date: 2004-10-27 Risk: High (possible remote code execution) URL: http://secur1ty.net/advisories/001 Background ========== Quake II is a multiplayer game featuring around 750 active servers online. Quake II was open sourced in December 2001 and many modifications have since been made. As the Quake II engine is available for commercial licensing, some of these issues may affect other games based on the Quake II engine, including (but not limited to): * Anachronox * Daikatana * Heretic II * Kingpin: Life of Crime * Soldier of Fortune * Sin Source: http://en.wikipedia.org/wiki/Quake_II Issues ====== Due to unchecked input at various stages in the server, remote users are able to cause the server to crash, reveal sensitive information or potentially execute arbitrary code. Problem #1 - Array bounds error =============================== During the processing of Configstrings and Baselines used during the connection process, the Quake II client is expected to send the offset of the array it wants to receive. However, no checking is done to ensure that this offset is not negative, resulting in an access violation when the server attempts to read this memory. Problem #2 - Buffer overflow when parsing packets ================================================= Upon receiving a command packet, the server will attempt to split it into chunks such as cmd_args (everything after the function name), and generating an array called cmd_argv so that functions can easily access parameters of the command. The buffer designed to hold cmd_args is only 1024 bytes while the maximum packet size is in the 1400+ bytes range. No checks are made to verify the string length before it is copied into the cmd_args buffer, resulting in a buffer overflow. Depending on the system architecture exploitation may be possible, but is limited by the fact that cmd_args resides in the data section of the executable. A typical overflow will corrupt the cmd_functions pointer, causing execution of further commands to crash the server. This attack can be performed without having to connect to the Quake II server and requires only a single UDP packet which may allow for source address spoofing. Problem #3 - Win32 server auto downloading allows leak of sensitive files ====================================================== Quake II allows users to download content from the server that they need to play, such as custom maps. However the server does not perform enough verification on the path supplied by the client for downloading. Due to the nature of Win32 paths, it is possible to specify for example, "download \/server.cfg" as a command which will result in the server sending the file server.cfg from the mod directory which would not normally be allowed. Problem #4 - Linux server auto downloading DoS ============================================== Linux behaves differently to Win32 when a file open operation is attempted on a directory. Due to insufficient checking of the path, it is possible to send a command such as "download /maps/" which will result in the server opening the maps directory and subsequently shutting down when it cannot read data from it. Problem #5 - Fake clients DoS ============================= Due to high timeout values and no limit of connections from a single IP, it is possible to cause the Quake II server to refuse legitimate connections by filling it with "fake" clients. Only 2 UDP packets need to be sent to initiate a connection, which will then occupy a player slot and take up to 2 minutes by default to time out. As no limiting per IP is done, a single 56k modem user could easily occupy 40+ client slots using this method. Reference: http://aluigi.altervista.org/fakep.htm Problem #6 - IP Spoofing ======================== The Quake II client constructs a string known as the userinfo that contains key/value pairs of important settings, such as the player name, skin, etc. When the server reads the client's userinfo it inserts a new key/value pair called "ip" with the client's IP address to allow mods to see the client IP when they look at the userinfo. It is possible to construct a client userinfo string large enough so that a key/value pair will be truncated. By then inserting a key called "ip", it is possible to trick a mod into reading the wrong IP from the userinfo. Since it is the responsibility of mods to ban users from the server, a malicious user can evade any bans on the server. Problem #7 - Damage of client state structure ============================================= By not properly issuing a disconnect command, a client can remain connected to a server even after supposedly disconnecting. When the client reconnects, the server will try to find a slot that was previously allocated to that client and re-use it. However no check is done to ensure that this slot is truly no longer in use, resulting in overwriting of any old client state without notifying the mod which can result in client cleanup code not running and inconsistent player counts amongst other mod-specific issues. Problem #8 - Local buffer overflows =================================== A number of functions designed to be executed from the server console or rcon do not properly check buffer sizes, resulting in a crash. However since these can only be exploited from someone with direct access to the server, they are a low threat. I would also like to remind server admins that the original version of the Quake II server (still in use by approximately 260 servers according to the All-Seeing Eye) has even larger risks as it is trivial to steal the rcon password and perform actions as if you were at the server console, including browsing of the host system directory structure. Reference: http://seclists.org/lists/bugtraq/2002/May/0127.html Vendor Response =============== As the product is now open source, it is not expected that the vendor will release any official updates. Previous vulnerabilities in Quake II have not warranted any vendor response. Workaround ========== Disabling auto downloading (allow_download 0) will mitigate some threats, but most of the issues listed cannot be worked around. Fix === It is strongly recommended that any Quake II server operators use an updated Quake II binary to fix these issues. At present, the only known client/server modification which contains fixes for all these issues is R1Q2, available at http://www.r1ch.net/stuff/r1q2/ Credits ======= Thanks to posters on the QuakeSrc.org message boards for bringing some of these issues to light. Richard Stanway http://www.r1ch.net/