what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Quake 3 Shell Injection / Code Execution

Quake 3 Shell Injection / Code Execution
Posted Jul 29, 2011
Authored by Thilo Schulz

Multiple games using the Quake engine suffer from remote shell injection and code execution vulnerabilities.

tags | exploit, remote, shell, vulnerability, code execution
advisories | CVE-2011-1412, CVE-2011-2764
SHA-256 | 40d5a0eda94f7c3b08a03211b96c36f7794a9900ae0eccda97964850b880b469

Quake 3 Shell Injection / Code Execution

Change Mirror Download
Hello,

Quake 3 is a popular online first person shooter developed by IDsoftware [1]
that has been released in 1999 and is still widely played.
After the release of the source code under the GPL, the ioQuake3 project [2]
was started that is dedicated to maintaining the existing codebase.

Several game projects are using a modified version of the ioQuake3 engine.
Some of these projects are:

- World of Padman [3]
- Smokin' Guns [4]
- OpenArena [5]
- Tremulous [6]

========================================
Issue #1:

Remote shell injection vulnerability on connecting clients
========================================

This bug has been discovered by /dev/humancontroller. Parts of the
description here are also by him.

* details

If an ioQuake3 client for UNIX-like systems connects to a malicious id Tech
3 (Point Release 1.32 compatible) server, the server can force execution of
arbitrary shell commands on the client's system.

* CVE

CVE-2011-1412 has been assigned for this issue.

* severity

high

* affected OS

All UNIXoid systems, except MacOSX:
- Linux
- FreeBSD
- NetBSD
- [...]

Not affected:
- Windows
- MacOSX

* games affected

- IoQuake3 after revision 1773 and before 2097
- World of Padman 1.5.1
- OpenArena packaged by some Linux distributors

Other game engines based on the ioQuake3 codebase, that have merged ioQuake3
revision 1773, but not 2097, are also vulnerable.

* workaround

No workaround.

* proof of concept

Launch an ioQuake3 game server. Set the fs_game cvar to "`echo
TROLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLO
> trollme.txt`". Connect to the server with a recent ioQuake3 client for
UNIX-like systems. The client should (after failing to create a directory
with an overly long name) execute a shell command to write a file.

* patches

Several distributors have already been contacted and have prepared patches
for their distributions.
A sourcecode patch can be got here:

http://thilo.tjps.eu/download/patches/ioq3-svn-r2097.diff

========================================
Issue #2:

Malicious gamecode can Execute arbitrary code outside of
Q3 Virtual Machine context
========================================

This bug has been discovered by /dev/humancontroller.

* details

The Quake3 engine uses game-specific code that is provided in a platform
independent bytecode format. This code has restricted access to
functionality provided by the engine. It should not be allowed access to
data outside the VM context.
Over the course of gameplay, the quake3 engine may dynamically load DLL
files in certain configurations. For instance, if vm_ui is set to "0" quake3
tries to open a DLL file to load the game logic behind the user interface.

Part of the functionality offered to VM logic is the possibility to write to
files within the quake3 directory. By writing a malicious DLL file, a
program residing in the VM could trigger the execution of code outside the VM
context.
To prevent this from happening, ioquake3 introduced a file extension check
in r1499 which denied writing files with certain names. However, this check
was broken and corrected in r2098 only.

This security issue has been around for a long time even in the original
quake3 engine and is not limited to ioquake3.
It affects a wide range of commercial games as well. It is only exploitable
if a user installs 3rd party addons from untrusted sources.
Quake3 was never really designed to be secure against malicious 3rd party
content, and probably isn't even in latest revisions of ioquake3. So
downloading of untrusted content is still discouraged.

* CVE

CVE-2011-2764 has been assigned for this issue.

* severity

medium

* affected OS

All OS with dynamic linker

* games affected

All games using the quake3 engine

* workaround

Don't download and install untrusted addons. Set cl_allowdownload to 0

* patches

Several distributors have already been contacted and have prepared patches
for their distributions.
A sourcecode patch can be got here:

http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff

========================================
Acknowledgements
========================================

Thanks to...

... /dev/humancontroller for reporting these bugs

... Simon McVittie for helping to coordinate the disclosure of this bug

========================================
References
========================================

[1] http://www.idsoftware.com
[2] http://www.ioquake3.org
[3] http://www.worldofpadman.com
[4] http://www.smokin-guns.net/
[5] http://www.openarena.ws
[6] http://www.tremulous.net

--
Thilo Schulz
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close