Date: Fri, 22 Jan 1999 19:48:26 +0100 From: Patrick Oonk To: BUGTRAQ@netspace.org Subject: More Quake2 buffer overflows and nuisances This was forwarded to me by Roderick van Domburg, Quake II admin at GamePoint (www.gamepoint.net) ----- Forwarded message from Roderick 'GoG' van Domburg ----- >From gog@gamepoint.net Fri Jan 22 19:40:42 1999 Message-ID: <001501be4637$08817500$0200000a@roderick> >From: "Roderick 'GoG' van Domburg" To: Subject: Quake2 Buffer Overflows Date: Fri, 22 Jan 1999 19:42:58 +0100 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3155.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0 [Charset iso-8859-1 unsupported, filtering to ASCII...] This information I collected not only from my own experiences, but with a lot of help from the q2-serverlist and Kai Kenner "L-Fire" as well. With all four of them a buffer overflow seems to be the issue. The first two bugs reside in id's CTF 1.02 source code, on which basically any CTF mod I can think of, save for LM CTF, is based on. From what I know, L-Fire CTF 1.04 and the upcoming 3Team CTF 1.20 (will) have this fixed, possibly others as well. The first bug seems to have been discovered just recently and unfortunately it's already public. It's being circulated on IRC channels and is being used to crash Quake2 servers. L-Fire's CTF server YYZ-1 was crashed twice which is how we were first made aware of the bug. Because it's a buffer overflow bug, some people have also been trying to exploit it to violate system security. A client can crash the server by doing a say_team chat with many say_team macro expansions (using %L for example). If someone does a say_team with 50 %L (say_team "%L%L%L%L%L%L%L%L%L%L%L%L%L%L%..."), the server will crash. This bug is in the function CTFSay_Team (file g_ctf.c). The function builds a string by expanding the % macros, then it iterates through the clients and sends the string to each client. If the string is too big the server crashes. In the function Cmd_Say_f (file g_cmds.c), there is the following statement and comment: // don't let text be too long for malicious reasons if (strlen(text) > 150) text[150] = 0; Cmd_Say_f limits the chat text to 150 characters to avoid various problems. CTFSay_Team does not restrict the chat text and this ultimately causes problems. You could of course also implement a sanity check, detecting any superfluous chatmacros but that would involve a great deal of CPU usage that may not be worth it. Immediately before the for() loop at the end of CTFSay_Team, add the following lines: *p = 0; if ( strlen(outmsg) > 150) // new line added outmsg[150] = 0; // new line added for (i = 0; i < maxclients->value; i++) { ... } --------------------------------------------------------------------------- The second bug is more of a nuisance, but it won't cause the server to crash. A player can join a team and appear with the default male/grunt skin by setting his skin to anything with two forward slashes. For example, skin "a/b/c" or even skin "//". This bug is in the function CTFAssignSkin (file g_ctf.c). The line if ((p = strrchr(t, '/')) != NULL) should be if ((p = strchr(t, '/')) != NULL) --------------------------------------------------------------------------- Both of these bugs exist in the id CTF 1.02 source code and possibly earlier versions. Please do not make the details of these bugs public as it will probably be a while before mods have been fixed and all servers have been upgraded. The other two security problems I have found using the Lithium II mod, version 1.23 and likely previous versions as well. Another issue seems only to bother the Linux version (again, 100% not sure though). If you have two directories both containg the Lithium II 1.23 mod (haven't tried previous versions), one being lithium and the other a random other name, say, lithium_2 with gamedir set to lithium (because you want to prevent clients from crashing when taking screenshots) and enable administrator functions in the second directory, any user can gain administrative access simply by entering 'admin' in the Quake2 console. If this happens, the user is granted an extremely strange and high adminlevel, often of 7 random digits. Disabling any of the admin functions (including both admincode and adminpassword), restricting them to IP's or limiting them to a low adminlevel does not have any effect, setting the Quake2 server cvar adminlist to blank doesn't work either. Only removing the admin.lst file in *both* directories prevents this security error from occuring. Roderick 'GoG' van Domburg - ICQ UIN 7798700 GamePoint Quake II & Windows NT Administrator - GamePoint - The Place to LPB! - http://www.gamepoint.net ----- End of forwarded message from Roderick 'GoG' van Domburg ----- -- : Patrick Oonk - http://patrick.mypage.org/ - patrick@pine.nl : : Pine Internet B.V. Consultancy, installatie en beheer : : Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ : : -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- : : "unix is voor types zonder sociaal leven..." - Patrick van Eijk : ------------------------------------------------------------------------- Date: Thu, 21 Jan 1999 20:41:07 -0600 From: Signal 11 To: BUGTRAQ@netspace.org Subject: Re: Quake 2 Server Crash Leif Sawyer wrote: > I haven't figured out any way to stop this overflow attack, but it doesn't > seem > to do much else but dump core. I saw a similar problem in QuakeWorld, which Zoid fixed about a month later - A user can set a variable name + value using the "set" command in the console to an arbitrary length. I stuck one about 100 char long into a string in autoexec, and loaded up my qwcl client. It reliably crashed any server. *that* bug has since been fixed long ago. A new one I noted atleast as late as 3.19 (I think.), is a derivative. Issue the following at a console for a plain-old CTF server: msg 4 bind c "team red; team blue; team red;team blue;team red;team blue;team red;team blue" pop out of console and start hammering that C key. In about 10-15 seconds, either all the players overflow and drop out of the game, or your screen jitters, the sound skips, and the server comes crashing down. However, that doesn't help you much, as having only 2 players in the game throws this theory out. :/ No doubt it's a buffer-overflow on one of the client-settable variables. Maybe fov ? qwcl also did *not* like negative values. Quake2 might be similar. Now, back to fragging those stupid zbots... But, I'm not a quake coder, so don't hold me to any of this. This was just something I discovered by accident. It's been reported, but nobody at ID seems to care, since Quake Arena is due out soon.... -- signal11@mediaone.net | BOFH, Signal 11 Network | RSA encryption follows: print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0