<<< Date Index >>>     <<< Thread Index >>>

Multiple Vulnerabilites in Quake II Server



Multiple Vulnerabilites in Quake II Server
==========================================
Product: Quake II
Version: Tested on 3.2x, likely all
 Vendor: iD Software (http://www.idsoftware.com/)
   Date: 2004-10-27
   Risk: High (possible remote code execution)
    URL: http://secur1ty.net/advisories/001

Background
==========
Quake  II is  a multiplayer  game featuring  around 750  active  servers
online.  Quake  II   was  open  sourced   in  December  2001   and  many
modifications have since been made.

As the Quake  II engine is  available for commercial  licensing, some of
these  issues may  affect other  games based  on the  Quake II   engine,
including (but not limited to):

 * Anachronox
 * Daikatana
 * Heretic II
 * Kingpin: Life of Crime
 * Soldier of Fortune
 * Sin

Source: http://en.wikipedia.org/wiki/Quake_II

Issues
======
Due to unchecked input at various stages in the server, remote users are
able to  cause  the  server to   crash, reveal sensitive  information or
potentially execute arbitrary code.

Problem #1 - Array bounds error
===============================
During  the  processing of  Configstrings  and Baselines used during the
connection process,  the  Quake II client is expected to send the offset
of the  array it  wants to   receive. However,  no checking  is done  to
ensure  that  this  offset  is  not  negative,  resulting  in  an access
violation  when the server attempts to  read this memory.

Problem #2 - Buffer overflow when parsing packets
=================================================
Upon receiving  a command  packet, the  server will  attempt to split it
into chunks such as cmd_args  (everything after the function name),  and
generating an  array  called  cmd_argv  so   that functions  can  easily
access parameters of the command.  The buffer designed to hold  cmd_args
is  only 1024 bytes while the maximum packet size is in the 1400+  bytes
range. No  checks are  made to  verify the  string length  before it  is
copied into the cmd_args  buffer,   resulting in   a  buffer   overflow.

Depending  on the system architecture exploitation may be possible,  but
is limited by  the fact that cmd_args resides in the data section of the
executable. A typical overflow  will corrupt the cmd_functions  pointer,
causing execution of further commands  to crash the server. This  attack
can be performed without  having to connect to  the Quake II server  and
requires only  a single  UDP packet  which may  allow for source address
spoofing.

Problem #3 - Win32 server auto downloading allows leak
             of sensitive files
======================================================
Quake II allows users to download content from the server that they need
to play, such as custom maps. However the server does not perform enough
verification on the path supplied by the client for downloading. Due  to
the  nature of  Win32 paths,  it is  possible to  specify for  example,
"download \/server.cfg"  as a  command which  will result  in the server
sending  the file  server.cfg from  the mod  directory which  would not
normally be allowed.

Problem #4 - Linux server auto downloading DoS
==============================================
Linux  behaves  differently  to  Win32 when  a  file  open  operation is
attempted on a directory. Due  to insufficient checking of the  path, it
is  possible to  send a  command such  as "download  /maps/" which  will
result  in  the  server  opening  the  maps  directory  and subsequently
shutting down when it cannot read data from it.

Problem #5 - Fake clients DoS
=============================
Due to high timeout values and no limit of connections from a single IP,
it  is  possible to  cause  the Quake  II  server to  refuse  legitimate
connections by filling it with "fake" clients. Only 2 UDP packets   need
to be sent  to initiate a  connection, which will  then occupy a  player
slot and take up to 2 minutes by default to time out. As no limiting per
IP is done, a single 56k modem user could easily occupy 40+ client slots
using this method.

Reference: http://aluigi.altervista.org/fakep.htm

Problem #6 - IP Spoofing
========================
The  Quake II  client constructs  a string  known as  the userinfo  that
contains  key/value pairs   of important  settings, such  as the  player
name,  skin, etc.   When the   server  reads  the client's  userinfo  it
inserts a new key/value pair called "ip"  with the client's IP   address
to allow mods to see the client IP when they look at the userinfo.

It is possible  to construct a  client userinfo string large  enough  so
that   a key/value  pair will  be truncated.   By then  inserting a  key
called "ip", it  is possible  to  trick  a mod  into reading  the  wrong
IP from   the userinfo. Since it  is the responsibility  of mods to  ban
users from   the server,  a malicious  user can  evade any  bans on  the
server.

Problem #7 - Damage of client state structure
=============================================
By  not  properly issuing  a  disconnect command,  a  client can  remain
connected  to a  server even  after supposedly  disconnecting. When  the
client  reconnects,  the  server  will  try  to  find  a  slot  that was
previously allocated to  that client and  re-use  it.  However  no check
is done to  ensure that this slot is truly no longer in use,   resulting
in overwriting  of  any  old client  state  without  notifying the   mod
which can  result in client  cleanup code not  running and  inconsistent
player counts amongst other mod-specific issues.

Problem #8 - Local buffer overflows
===================================
A number of functions designed to be executed from the server console or
rcon do not properly check  buffer sizes, resulting in a  crash. However
since these can only be exploited from someone with direct access to the
server, they are a low threat.

I would also like to remind  server admins that the original version  of
the Quake II server (still in use by approximately 260 servers according
to the All-Seeing Eye) has even  larger risks as it is trivial  to steal
the rcon  password and  perform actions  as if  you were  at the  server
console, including browsing of the host system directory structure.

Reference: http://seclists.org/lists/bugtraq/2002/May/0127.html

Vendor Response
===============
As the product is  now open source, it  is not expected that  the vendor
will release any official updates. Previous vulnerabilities in Quake  II
have not warranted any vendor response.

Workaround
==========
Disabling  auto  downloading  (allow_download  0)  will  mitigate   some
threats, but most of the issues listed cannot be worked around.

Fix
===
It is  strongly recommended  that any  Quake II  server operators use an
updated  Quake   II  binary   to  fix   these  issues.   At present, the
only known   client/server modification  which  contains  fixes  for all
these issues is R1Q2, available at http://www.r1ch.net/stuff/r1q2/

Credits
=======
Thanks to posters on the  QuakeSrc.org message boards for bringing  some
of these issues to light.

Richard Stanway
http://www.r1ch.net/