Bugtraq mailing list archives

ADV: Quake 3 Arena 1.29f/g Vulnerability

From: "The Tree of Life" <drttol () hotmail com>
Date: Mon, 30 Jul 2001 18:49:09 -0400

--------------------------------------
:: Q30wnerz Advisory v1.0 - PUBLIC
::         written by ttol
--------------------------------------
:: Quake 3 Arena 1.29f/g Vulnerability
--------------------------------------

-----------
:: Summary
-----------

There exists a very large hole in Quake 3
Arena, version 1.29f and 1.29g (the latest,
1.29g which got released just under a week
ago).

The hole is not fixable in any way by
the user, and most of the servers that
are up (thousands of them) are vulnerable.
To have this hole fixed, a PR (point
release) will have to be given to the
public by iD Software.

Point Releases will show up at:
http://www.quake3world.com

--------------------
:: Affected Products
--------------------

The following versions of Quake 3 Arena are
vulnerable to this specific attack:

o Quake 3 Arena 1.29f
o Quake 3 Arena 1.29g

----------
:: Details
----------

As a result of a previous Q30wnerz-discovered
vulnerability, iD Software had to redesign the
protocol, closing up the previous vulnerability.

However, we have discovered a new one which
segment faults the servers cleanly (it gives back
the memory it had taken before, which is a lot
since Quake 3 is a memory hog).  If the server
is logging, it will segment fault before it has
a chance to append it to the log file.

The exploitation occurs when initiated a connect
sequence at the server's port, and sending the
following:

ÿÿÿÿconnectre

Those four Y's with the dots on them are char(255)'s.

The server at this point will die, and will remain
down until the process has been restarted.

The Linux version for this (one server at a time):

perl -wle 'printf("%c%c%c%c%s",255,255,255,255,"connectre")' | nc -u 1.1.1.127960


Replace 1.1.1.1 with the server's ip.

The Windows binary version can be downloaded at:
http://www.gamenet.nu/cheats

---------
:: Impact
---------

At this point, our proof of concept binary only
supports one server at a time.  That means it will
only allow the user to demonstrate on one server.

One can only imagine how this will carry out if
someone else took it in their hands to cull the
master list and sequentially try it (it only takes
a few nanoseconds to send the offending string).

--------------
:: Workarounds
--------------

iD Software at this point has not released a working
Point Release that prevents this.

A quick way to ensure that your server will be up
is to revert back to 1.17.

-------------------
:: Acknowledgements
-------------------

o iD Software (www.idsoftware.com) for making such a
 beautiful game.
o ttol (that's me!) for...being the ladie's man and
 also coding and perfecting this
o Coolest for discovering this initially


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Current thread:

ADV: Quake 3 Arena 1.29f/g Vulnerability The Tree of Life (Jul 30)
- Quake 3 Arena 1.29f/g Vulnerability Linux Version, C Source. defrag (Jul 30)