####################################################################### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com Games: - Call of Duty <= 1.5 - Call of Duty: United Offensive <= 1.51 - Heavy Metal: F.A.K.K.2 <= 1.02 - Quake III Arena <= 1.32 - Return to Castle Wolfenstein <= 1.41 - Soldier of Fortune II: Double Helix <= 1.03 - Star Trek Voyager: Elite Force <= 1.20 - Star Trek: Elite Force II <= 1.10 - Star Wars Jedi Knight II: Jedi Outcast <= 1.04 - Star Wars Jedi Knight: Jedi Academy <= 1.011 - Wolfenstein: Enemy Territory <= 1.02 / 2.56 ...possibly others Platforms: Windows, Linux and Mac Bug: crash or shutdown caused by incorrect handling of big queries Exploitation: remote, versus server Date: 12 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: http://aluigi.altervista.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Quake 3 engine is the well known game engine developed by ID Software (http://www.idsoftware.com) and is used by many games. Some months ago I reported similar problems in three games based on this engine: Medal of Honor, Call of Duty and Soldier of Fortune II. Except for Medal of Honor that is affected by a specific buffer overflow, the other two games can be "probably" included in this advisory too but I'm not totally sure. ####################################################################### ====== 2) Bug ====== The Quake 3 engine has problems to handle big queries allowing an attacker to shutdown any game server based on this engine: ERROR: Info_SetValueForKey: oversize infostring In some of the vulnerable games is also possible to crash the server. ####################################################################### =========== 3) The Code =========== http://aluigi.altervista.org/poc/q3infoboom.zip A simple scanner for testing any game based on the Quake 3 engine. ####################################################################### ====== 4) Fix ====== Only the two Call of Duty games have been fixed with the 1.5b and 1.51b patches, all the others are still vulnerable. I have released an universal patcher that limits the amount of handled data in the queries from 1023 to 767 solving the problem in any game: http://aluigi.altervista.org/patches/q3infofix.zip (only in Heavy Metal: F.A.K.K.2 is needed to reduce the amount of handled data to less than 512 instead of 767) ####################################################################### --- Luigi Auriemma http://aluigi.altervista.org