OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
In-game players kicking in the Quake 3 engine

From: Luigi Auriemma (aluigiautistici.org)
Date: Sat Apr 02 2005 - 12:48:39 CST


#######################################################################

                             Luigi Auriemma

Application: Quake 3 engine
              http://www.idsoftware.com
Vulnerables: - Call of Duty <= 1.5
              - Call of Duty: United Offensive <= 1.51
              - Quake III Arena <= 1.32
              - Return to Castle Wolfenstein <= 1.41
              - Soldier of Fortune II: Double Helix <= 1.03
              - Star Wars Jedi Knight II: Jedi Outcast <= 1.04
              - Star Wars Jedi Knight: Jedi Academy <= 1.0.1.0
              - Wolfenstein: Enemy Territory <= 1.02 / 2.56
              ... possibly others
"Seem" safe: - Medal of Honor: Allied Assault (no effects)
              - Medal of Honor: Breakthrough
              - Medal of Honor: Spearhead
              - Star Trek Voyager: Elite Force (attacker only)
              - Star Trek: Elite Force II (attacker crash only)
              - Wolfenstein: Enemy Territory 2.60 (patched)
Platforms: Windows, Linux and Mac
Bug: bad handling of big commands/messages
Exploitation: remote, versus clients (in-game)
Date: 02 Apr 2005
Author: unknown, the bug has been reported to me by an admin of
              the game Return of Castle Wolfenstein
Advisory: Luigi Auriemma
              e-mail: aluigiautistici.org
              web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

The Quake 3 engine is the well known game engine developed by ID
Software (http://www.idsoftware.com) and is used by many games.

#######################################################################

======
2) Bug
======

This problem is enough known in the community of the Return to Castle
Wolfenstein and Enemy Territory games from many time (over one year),
and this second one is actually the only game to have an official patch
released just some weeks ago.

An interesting explanation of this bug and a method to fix it modifying
the source code of the vulnerable games (SDK) is available here:

  http://bani.anime.net/banimod/forums/viewtopic.php?p=27322

In short the problem is in how the engine handles the commands longer
than 1022 chars, in fact they are automatically truncated at that size
and the rest of the chars is handled as network data confusing the
engine.

If an attacker joins a server and sends a too big message any client in
the server will automatically disconnect showing the
"CL_ParseServerMessage: Illegible server message" error.

In some games or some of their older versions could happen also a
server crash, that's not caused by this bug but by other problems
explained in the following advisories:

  http://aluigi.altervista.org/adv/jamsgbof-adv.txt
  http://aluigi.altervista.org/adv/codmsgboom-adv.txt

Only in Soldier of Fortune II happens a clients crash instead of the
simple disconnection but the game supports only the vsay_team command
and so only the players in the same team of the attacker will be
crashed.

The problem is in-game so the attacker must have access to the server,
if it is protected by password and he doesn't know the keyword or his
IP/guid has been banned he cannot exploit the bug.

#######################################################################

===========
3) The Code
===========

- download the following file:
    http://aluigi.altervista.org/poc/q3msgboom.cfg
- place it in the base folder of your game (like baseq3, etmain, main,
  base and so on)
- start a client and a server or, if possible, more clients to test
  better the effects of the bug
- join the server
- go into the console of a client (~ key or shift + ~)
- type: /exec q3msgboom
- any client in the server will disconnect immediately.
  If nothing happens or the vsay command is not supported, modify the
  q3msgboom.cfg file using other commands like say or vsay_team.
  Jedi Knight II needs that the script is executed some times before
  seeing the effects.

#######################################################################

======
4) Fix
======

Currently only Enemy Territory 2.60 is officially fixed.

I have tried many times in these last weeks to find an universal way
to fix the bug but I had no luck, in fact the method suggested by
Banimod (http://bani.anime.net/banimod/forums/viewtopic.php?p=27322) is
ok but requires the recompilation of the SDK (where available).

Anyway the function to modify is located in the "game" code (the name
of a specific portion of the engine) that some games have built as a
DLL while others as a QVM file (harder to fix and zipped in the pk3
packages) and then the binary pattern of the function changes a lot
from game to game moreover because changes the G_SEND_SERVER_COMMAND
value, so a binary fix based on the previously metioned patch is not
possible.

#######################################################################

---
Luigi Auriemma
http://aluigi.altervista.org