OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Multiple Vulnerabilites in Quake II Server

From: Richard Stanway (bugtraqsecur1ty.net)
Date: Wed Oct 27 2004 - 07:18:06 CDT


Multiple Vulnerabilites in Quake II Server
==========================================
Product: Quake II
Version: Tested on 3.2x, likely all
 Vendor: iD Software (http://www.idsoftware.com/)
   Date: 2004-10-27
   Risk: High (possible remote code execution)
    URL: http://secur1ty.net/advisories/001

Background
==========
Quake II is a multiplayer game featuring around 750 active servers
online. Quake II was open sourced in December 2001 and many
modifications have since been made.

As the Quake II engine is available for commercial licensing, some of
these issues may affect other games based on the Quake II engine,
including (but not limited to):

 * Anachronox
 * Daikatana
 * Heretic II
 * Kingpin: Life of Crime
 * Soldier of Fortune
 * Sin

Source: http://en.wikipedia.org/wiki/Quake_II

Issues
======
Due to unchecked input at various stages in the server, remote users are
able to cause the server to crash, reveal sensitive information or
potentially execute arbitrary code.

Problem #1 - Array bounds error
===============================
During the processing of Configstrings and Baselines used during the
connection process, the Quake II client is expected to send the offset
of the array it wants to receive. However, no checking is done to
ensure that this offset is not negative, resulting in an access
violation when the server attempts to read this memory.

Problem #2 - Buffer overflow when parsing packets
=================================================
Upon receiving a command packet, the server will attempt to split it
into chunks such as cmd_args (everything after the function name), and
generating an array called cmd_argv so that functions can easily
access parameters of the command. The buffer designed to hold cmd_args
is only 1024 bytes while the maximum packet size is in the 1400+ bytes
range. No checks are made to verify the string length before it is
copied into the cmd_args buffer, resulting in a buffer overflow.

Depending on the system architecture exploitation may be possible, but
is limited by the fact that cmd_args resides in the data section of the
executable. A typical overflow will corrupt the cmd_functions pointer,
causing execution of further commands to crash the server. This attack
can be performed without having to connect to the Quake II server and
requires only a single UDP packet which may allow for source address
spoofing.

Problem #3 - Win32 server auto downloading allows leak
             of sensitive files
======================================================
Quake II allows users to download content from the server that they need
to play, such as custom maps. However the server does not perform enough
verification on the path supplied by the client for downloading. Due to
the nature of Win32 paths, it is possible to specify for example,
"download \/server.cfg" as a command which will result in the server
sending the file server.cfg from the mod directory which would not
normally be allowed.

Problem #4 - Linux server auto downloading DoS
==============================================
Linux behaves differently to Win32 when a file open operation is
attempted on a directory. Due to insufficient checking of the path, it
is possible to send a command such as "download /maps/" which will
result in the server opening the maps directory and subsequently
shutting down when it cannot read data from it.

Problem #5 - Fake clients DoS
=============================
Due to high timeout values and no limit of connections from a single IP,
it is possible to cause the Quake II server to refuse legitimate
connections by filling it with "fake" clients. Only 2 UDP packets need
to be sent to initiate a connection, which will then occupy a player
slot and take up to 2 minutes by default to time out. As no limiting per
IP is done, a single 56k modem user could easily occupy 40+ client slots
using this method.

Reference: http://aluigi.altervista.org/fakep.htm

Problem #6 - IP Spoofing
========================
The Quake II client constructs a string known as the userinfo that
contains key/value pairs of important settings, such as the player
name, skin, etc. When the server reads the client's userinfo it
inserts a new key/value pair called "ip" with the client's IP address
to allow mods to see the client IP when they look at the userinfo.

It is possible to construct a client userinfo string large enough so
that a key/value pair will be truncated. By then inserting a key
called "ip", it is possible to trick a mod into reading the wrong
IP from the userinfo. Since it is the responsibility of mods to ban
users from the server, a malicious user can evade any bans on the
server.

Problem #7 - Damage of client state structure
=============================================
By not properly issuing a disconnect command, a client can remain
connected to a server even after supposedly disconnecting. When the
client reconnects, the server will try to find a slot that was
previously allocated to that client and re-use it. However no check
is done to ensure that this slot is truly no longer in use, resulting
in overwriting of any old client state without notifying the mod
which can result in client cleanup code not running and inconsistent
player counts amongst other mod-specific issues.

Problem #8 - Local buffer overflows
===================================
A number of functions designed to be executed from the server console or
rcon do not properly check buffer sizes, resulting in a crash. However
since these can only be exploited from someone with direct access to the
server, they are a low threat.

I would also like to remind server admins that the original version of
the Quake II server (still in use by approximately 260 servers according
to the All-Seeing Eye) has even larger risks as it is trivial to steal
the rcon password and perform actions as if you were at the server
console, including browsing of the host system directory structure.

Reference: http://seclists.org/lists/bugtraq/2002/May/0127.html

Vendor Response
===============
As the product is now open source, it is not expected that the vendor
will release any official updates. Previous vulnerabilities in Quake II
have not warranted any vendor response.

Workaround
==========
Disabling auto downloading (allow_download 0) will mitigate some
threats, but most of the issues listed cannot be worked around.

Fix
===
It is strongly recommended that any Quake II server operators use an
updated Quake II binary to fix these issues. At present, the
only known client/server modification which contains fixes for all
these issues is R1Q2, available at http://www.r1ch.net/stuff/r1q2/

Credits
=======
Thanks to posters on the QuakeSrc.org message boards for bringing some
of these issues to light.

Richard Stanway
http://www.r1ch.net/