I couldn't see why the string ˙˙˙˙connectre would be significant since the
core dumped by q3ded shows that it died in the middle of a strcpy, so I took
defrag's posted code and modified it to see what would happen if I changed
the 're' to something else. Sure enough, this is just a generic buffer
overflow problem in the code dealing with the 'connect' command. The string
needs to begin with
\xff\xff\xff\xffconnect
followed by two or more aribitrary bytes and the server dies. Is this
exploitable?
Brendan
-------------------------------------------------------------
Brendan Alderslade phone: +61 8 8982 4000
mobile: +61 438 522 145
Trainer/Consultant fax: +61 8 8941 8075
RHCE RHCX MCP LPIC-1 LCP email: balderslade@tbs.com.au
Territory Business Solutions www: http://www.tbs.com.au/
To understand recursion, you must first understand recursion.
-----Original Message-----
From: The Tree of Life [mailto:drttol@hotmail.com]
Sent: Tuesday, July 31, 2001 8:19 AM
To: bugtraq@securityfocus.com
Subject: ADV: Quake 3 Arena 1.29f/g Vulnerability
--------------------------------------
:: Q30wnerz Advisory v1.0 - PUBLIC
:: written by ttol
--------------------------------------
:: Quake 3 Arena 1.29f/g Vulnerability
--------------------------------------
-----------
:: Summary
-----------
There exists a very large hole in Quake 3
Arena, version 1.29f and 1.29g (the latest,
1.29g which got released just under a week
ago).
The hole is not fixable in any way by
the user, and most of the servers that
are up (thousands of them) are vulnerable.
To have this hole fixed, a PR (point
release) will have to be given to the
public by iD Software.
Point Releases will show up at:
http://www.quake3world.com
--------------------
:: Affected Products
--------------------
The following versions of Quake 3 Arena are
vulnerable to this specific attack:
o Quake 3 Arena 1.29f
o Quake 3 Arena 1.29g
----------
:: Details
----------
As a result of a previous Q30wnerz-discovered
vulnerability, iD Software had to redesign the
protocol, closing up the previous vulnerability.
However, we have discovered a new one which
segment faults the servers cleanly (it gives back
the memory it had taken before, which is a lot
since Quake 3 is a memory hog). If the server
is logging, it will segment fault before it has
a chance to append it to the log file.
The exploitation occurs when initiated a connect
sequence at the server's port, and sending the
following:
˙˙˙˙connectre
Those four Y's with the dots on them are char(255)'s.
The server at this point will die, and will remain
down until the process has been restarted.
The Linux version for this (one server at a time):
perl -wle 'printf("%c%c%c%c%s",255,255,255,255,"connectre")' | nc -u 1.1.1.1
27960
Replace 1.1.1.1 with the server's ip.
The Windows binary version can be downloaded at:
http://www.gamenet.nu/cheats
---------
:: Impact
---------
At this point, our proof of concept binary only
supports one server at a time. That means it will
only allow the user to demonstrate on one server.
One can only imagine how this will carry out if
someone else took it in their hands to cull the
master list and sequentially try it (it only takes
a few nanoseconds to send the offending string).
--------------
:: Workarounds
--------------
iD Software at this point has not released a working
Point Release that prevents this.
A quick way to ensure that your server will be up
is to revert back to 1.17.
-------------------
:: Acknowledgements
-------------------
o iD Software (www.idsoftware.com) for making such a
beautiful game.
o ttol (that's me!) for...being the ladie's man and
also coding and perfecting this
o Coolest for discovering this initially
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
