ioQuake3 Remote shell injection

2011.08.06
Credit: Thilo Schulz
Risk: High
Local: No
Remote: Yes
CWE: CWE-20

Hello, Quake 3 is a popular online first person shooter developed by IDsoftware [1] that has been released in 1999 and is still widely played. After the release of the source code under the GPL, the ioQuake3 project [2] was started that is dedicated to maintaining the existing codebase. Several game projects are using a modified version of the ioQuake3 engine. Some of these projects are: - World of Padman [3] - Smokin' Guns [4] - OpenArena [5] - Tremulous [6] ======================================== Issue #1: Remote shell injection vulnerability on connecting clients ======================================== This bug has been discovered by /dev/humancontroller. Parts of the description here are also by him. * details If an ioQuake3 client for UNIX-like systems connects to a malicious id Tech 3 (Point Release 1.32 compatible) server, the server can force execution of arbitrary shell commands on the client's system. * CVE CVE-2011-1412 has been assigned for this issue. * severity high * affected OS All UNIXoid systems, except MacOSX: - Linux - FreeBSD - NetBSD - [...] Not affected: - Windows - MacOSX * games affected - IoQuake3 after revision 1773 and before 2097 - World of Padman 1.5.1 - OpenArena packaged by some Linux distributors Other game engines based on the ioQuake3 codebase, that have merged ioQuake3 revision 1773, but not 2097, are also vulnerable. * workaround No workaround. * proof of concept Launch an ioQuake3 game server. Set the fs_game cvar to "`echo TROLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL OLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL OLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOL OLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLOLO > trollme.txt`". Connect to the server with a recent ioQuake3 client for UNIX-like systems. The client should (after failing to create a directory with an overly long name) execute a shell command to write a file. * patches Several distributors have already been contacted and have prepared patches for their distributions. A sourcecode patch can be got here: http://thilo.tjps.eu/download/patches/ioq3-svn-r2097.diff ======================================== Issue #2: Malicious gamecode can Execute arbitrary code outside of Q3 Virtual Machine context ======================================== This bug has been discovered by /dev/humancontroller. * details The Quake3 engine uses game-specific code that is provided in a platform independent bytecode format. This code has restricted access to functionality provided by the engine. It should not be allowed access to data outside the VM context. Over the course of gameplay, the quake3 engine may dynamically load DLL files in certain configurations. For instance, if vm_ui is set to "0" quake3 tries to open a DLL file to load the game logic behind the user interface. Part of the functionality offered to VM logic is the possibility to write to files within the quake3 directory. By writing a malicious DLL file, a program residing in the VM could trigger the execution of code outside the VM context. To prevent this from happening, ioquake3 introduced a file extension check in r1499 which denied writing files with certain names. However, this check was broken and corrected in r2098 only. This security issue has been around for a long time even in the original quake3 engine and is not limited to ioquake3. It affects a wide range of commercial games as well. It is only exploitable if a user installs 3rd party addons from untrusted sources. Quake3 was never really designed to be secure against malicious 3rd party content, and probably isn't even in latest revisions of ioquake3. So downloading of untrusted content is still discouraged. * CVE CVE-2011-2764 has been assigned for this issue. * severity medium * affected OS All OS with dynamic linker * games affected All games using the quake3 engine * workaround Don't download and install untrusted addons. Set cl_allowdownload to 0 * patches Several distributors have already been contacted and have prepared patches for their distributions. A sourcecode patch can be got here: http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff ======================================== Acknowledgements ======================================== Thanks to... ... /dev/humancontroller for reporting these bugs ... Simon McVittie for helping to coordinate the disclosure of this bug ======================================== References ======================================== [1] http://www.idsoftware.com [2] http://www.ioquake3.org [3] http://www.worldofpadman.com [4] http://www.smokin-guns.net/ [5] http://www.openarena.ws [6] http://www.tremulous.net -- Thilo Schulz -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) iEYEABECAAYFAk4xXDYACgkQZx4hBtWQhl5cVQCgkjQahrLb5b0glKY0x2ejpU98 ojoAn0ChFOTjIEbOsG6SHho27xm2dZgf =dZSR -----END PGP SIGNATURE-----

References:

https://bugzilla.redhat.com/show_bug.cgi?id=725951
http://thilo.tjps.eu/download/patches/ioq3-svn-r2098.diff
http://svn.icculus.org/quake3?view=rev&revision=2098
http://xforce.iss.net/xforce/xfdb/68870
http://www.securityfocus.com/bid/48915
http://www.securityfocus.com/archive/12000/archive/1/519051/100/0/threaded
http://archives.neohapsis.com/archives/fulldisclosure/2011-07/0338.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top