OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: The Tree of Life (drttolhotmail.com)
Date: Mon Jul 30 2001 - 17:49:09 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    --------------------------------------
    :: Q30wnerz Advisory v1.0 - PUBLIC
    :: written by ttol
    --------------------------------------
    :: Quake 3 Arena 1.29f/g Vulnerability
    --------------------------------------

    -----------
    :: Summary
    -----------

    There exists a very large hole in Quake 3
    Arena, version 1.29f and 1.29g (the latest,
    1.29g which got released just under a week
    ago).

    The hole is not fixable in any way by
    the user, and most of the servers that
    are up (thousands of them) are vulnerable.
    To have this hole fixed, a PR (point
    release) will have to be given to the
    public by iD Software.

    Point Releases will show up at:
    http://www.quake3world.com

    --------------------
    :: Affected Products
    --------------------

    The following versions of Quake 3 Arena are
    vulnerable to this specific attack:

    o Quake 3 Arena 1.29f
    o Quake 3 Arena 1.29g

    ----------
    :: Details
    ----------

    As a result of a previous Q30wnerz-discovered
    vulnerability, iD Software had to redesign the
    protocol, closing up the previous vulnerability.

    However, we have discovered a new one which
    segment faults the servers cleanly (it gives back
    the memory it had taken before, which is a lot
    since Quake 3 is a memory hog). If the server
    is logging, it will segment fault before it has
    a chance to append it to the log file.

    The exploitation occurs when initiated a connect
    sequence at the server's port, and sending the
    following:

    ˙˙˙˙connectre

    Those four Y's with the dots on them are char(255)'s.

    The server at this point will die, and will remain
    down until the process has been restarted.

    The Linux version for this (one server at a time):

    perl -wle 'printf("%c%c%c%c%s",255,255,255,255,"connectre")' | nc -u 1.1.1.1
    27960

    Replace 1.1.1.1 with the server's ip.

    The Windows binary version can be downloaded at:
    http://www.gamenet.nu/cheats

    ---------
    :: Impact
    ---------

    At this point, our proof of concept binary only
    supports one server at a time. That means it will
    only allow the user to demonstrate on one server.

    One can only imagine how this will carry out if
    someone else took it in their hands to cull the
    master list and sequentially try it (it only takes
    a few nanoseconds to send the offending string).

    --------------
    :: Workarounds
    --------------

    iD Software at this point has not released a working
    Point Release that prevents this.

    A quick way to ensure that your server will be up
    is to revert back to 1.17.

    -------------------
    :: Acknowledgements
    -------------------

    o iD Software (www.idsoftware.com) for making such a
      beautiful game.
    o ttol (that's me!) for...being the ladie's man and
      also coding and perfecting this
    o Coolest for discovering this initially

    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp