CVE-2006-2082
CVSS7.5
发布时间 :2006-05-09 22:18:00
修订时间 :2008-09-05 17:03:37
NMCOPS    

[原文]Directory traversal vulnerability in Quake 3 engine, as used in products including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload cvar is enabled, allows remote attackers to read arbitrary files from the server via ".." sequences in a .pk3 file request.


[CNNVD]Quake 3 引擎服务 .pk3文件 目录遍历漏洞(CNNVD-200605-174)

        包括Quake3 Arena, Castle Wolfenstein, Wolfenstein: Enemy Territory, 以及Star Trek Voyager: Elite Force在内的多种产品使用的Quake 3 引擎存在目录遍历漏洞。当sv_allowdownload cvar启用时,远程攻击者可以借助.pk3文件请求中的".." 序列,从服务器读取任意文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2082
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2082
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-174
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/17924
(UNKNOWN)  BID  17924
http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060508 Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games
http://xforce.iss.net/xforce/xfdb/26347
(UNKNOWN)  XF  quake3-sv-allowdownload-directory-traversal(26347)
http://securityreason.com/securityalert/880
(UNKNOWN)  SREASON  880
http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045906.html
(UNKNOWN)  FULLDISC  20060508 Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games

- 漏洞信息

Quake 3 引擎服务 .pk3文件 目录遍历漏洞
高危 路径遍历
2006-05-09 00:00:00 2006-05-10 00:00:00
远程  
        包括Quake3 Arena, Castle Wolfenstein, Wolfenstein: Enemy Territory, 以及Star Trek Voyager: Elite Force在内的多种产品使用的Quake 3 引擎存在目录遍历漏洞。当sv_allowdownload cvar启用时,远程攻击者可以借助.pk3文件请求中的".." 序列,从服务器读取任意文件。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        id Software Quake 3 Arena 1.32 b
        id Software Quake III Arena 1.32c Patch (linux)
        http://www.idsoftware.com/downloads/shambler.php?id=8001
        id Software Quake III Arena 1.32c Patch (mac)
        http://www.idsoftware.com/downloads/shambler.php?id=8002
        id Software Quake III Arena 1.32c Patch (win32)
        http://www.idsoftware.com/downloads/shambler.php?id=8000
        id Software Return to Castle Wolfenstein 1.41
        id Software Return to Castle Wolfenstein 1.41b Patch (linux)
        http://www.idsoftware.com/downloads/shambler.php?id=10001
        id Software Return to Castle Wolfenstein 1.41b Patch (win32)
        http://www.idsoftware.com/downloads/shambler.php?id=10000

- 漏洞信息 (F110095)

Tremulous Inherited Issues (PacketStormID:F110095)
2012-02-23 00:00:00
Simon McVittie  
advisory,vulnerability
CVE-2006-2082,CVE-2006-2236,CVE-2006-2875,CVE-2006-3324,CVE-2006-3325,CVE-2011-2674,CVE-2011-3012
[点击下载]

Tremulous, a team based FPS game with RTS elements, suffers from a large amount of old Quake related vulnerabilities.

Background
==========

Tremulous is a team-based FPS game with RTS elements. Its engine and
game logic are based on the GPL source release of the Quake III Arena
engine and game logic by id Software.

The de facto upstream developer of the Quake III engine is now another
fork, ioquake3; in particular, ioquake3 fixes many security
vulnerabilities present in the original Quake III Arena source release.
Unlike (for instance) OpenArena or Urban Terror, Tremulous has diverged
from the original Quake III Arena engine, so it cannot be played using
an unmodified ioquake3 engine.

The Tremulous website advertises two versions of the game:

* 1.1.0, a stable release (released 2006-03-31). This is packaged
  in Debian/Ubuntu stable releases, and also appears to be packaged
  in FreeBSD, openSUSE and Gentoo.

* GPP1 ("Gameplay Preview 1"), a preview release (2009-12-03) of
  what will eventually become Tremulous 1.2. This
  appears to be packaged in Fedora stable releases.

In addition, there are several unofficial engine updates compatible with
1.1.0, notably a backport by Tony White (TJW), and a set of updated
client and server provided by Mercenaries' Guild. These are not
publicized by the main Tremulous website, but they are apparently
popular with players, and their functionality has been incorporated into
version 1.2 development.

Vulnerabilities
===============

Numerous security vulnerabilities have been reported and fixed in
ioquake3 since its initial release. Neither Tremulous 1.1.0 nor GPP1
incorporates fixes for all of these vulnerabilities.

I believe this table is more or less accurate, but I have only checked
Tremulous 1.1.0 in detail. If you ship one of the other versions, you
will need to do your own checks.

               Trem-1.1.0    MGC-1.011    MGS-1.01     tjw    Trem-GPP1
CVE-2001-1289       OK           OK           OK        OK       OK
CVE-2005-0430       OK           OK           OK        OK       OK
CVE-2005-0983       OK           OK           OK        OK       OK
CVE-2006-2082       Vuln         n/a          ?         Vuln     OK
CVE-2006-2236       Vuln         OK           n/a       OK       OK
CVE-2006-2875       Vuln         OK           n/a       OK       OK
CVE-2006-3324       Vuln         OK           n/a       Vuln     OK
CVE-2006-3325       Vuln         OK           n/a       Vuln     OK
CVE-2006-3400       OK           OK           OK        OK       OK
CVE-2006-3401       OK           OK           OK        OK       OK
CVE-2011-1412       OK           OK           OK        OK       OK
CVE-2011-2674       Vuln         Vuln         n/a       Vuln     Vuln
CVE-2011-3012       Vuln         OK           n/a       Vuln     OK

(For completeness, the table lists all CVE IDs I've found listed for
either Quake III Arena or ioquake3.)

Key: Trem-1.1.0 = Tremulous 1.1.0 (2006-03-31)
     MGC-1.011 = MercenariesGuild client 1.011 when used as a client
     MGS-1.01 = MercenariesGuild server 1.01 when used as a server
     tjw = http://tremulous.tjw.org/backport/
     Trem-GPP1 = Tremulous Gameplay Preview 1 (1.2 prerelease,
                 2009-12-03)

     Vuln = vulnerable
     partial = partial fix, probably still vulnerable
     n/a = server-specific bug not applicable to client or vice versa

In addition, searching ioquake3 commit history reveals a number of
commits which do not appear to be related to a CVE number, but could be
security-sensitive. I have not analyzed which of these could affect the
Tremulous engine. If you cause a new CVE number to be assigned for any
changes made to ioquake3 in the past (as was done for CVE-2011-3012),
please include a prominent reference to the relevant svn revision in any
advisory, so that CVE numbers can be correlated with the changes required.

Finally, to the best of my knowledge, ioquake3 upstream do not consider
the QVM bytecode interpreter to be safe for use with untrusted bytecode;
this means that auto-downloading (cl_allowDownload 1) is not considered
to be safe under any circumstances. This is particularly the case for
engines which do not have the interpreter/JIT hardening work that was
done in ioquake3 at svn revisions around 1687, 1717 and 2000, none of
which is present in at least Tremulous 1.1.0.

Response
========

I have not received any response from Tremulous developers since I
contacted them privately 1 month ago.

Distributions like Debian, Fedora and Ubuntu should either fix the open
vulnerabilities, or remove affected Tremulous versions from their
repositories entirely.

I have uploaded tremulous 1.1.0-7 to Debian, with backports of the
various CVE fixes from ioquake3, and some additional pre-emptive changes
for potential bugs which are not known to be exploitable (avoiding
non-constant format strings and sprintf() into a fixed-length buffer).
Patches which I believe to be correct are available at
<http://anonscm.debian.org/gitweb/?p=pkg-games/tremulous.git;a=tree;f=debian/patches>
or by cloning the git repository
<git://anonscm.debian.org/pkg-games/tremulous.git>. Please contact me
via the Debian bug tracking system or the Games Team mailing list
<debian-devel-games@lists.debian.org> with testing results or
corrections for these patches.

I believe that long-term-supported distributions should also mitigate
any future vulnerabilities in the ioquake3 bytecode interpreter by
removing client-side support for auto-downloading (always behaving as if
configured with cl_allowDownload 0) in their stable releases. I have
made this change in Debian's tremulous 1.1.0-7 package, but not yet in
Debian's ioquake3 package.

Regards,
    S
    

- 漏洞信息

25720
Quake 3 sv_allowdownload Traversal Arbitrary File Access
Input Manipulation
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-05-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Quake 3 Engine Server Information Disclosure Vulnerability
Access Validation Error 17924
Yes No
2006-05-09 12:00:00 2010-05-17 06:52:00
Discovery is credited to Ludwig Nussel and Thilo Schulz <arny@ats.s.bawue.de>.

- 受影响的程序版本

Red Hat Fedora 13
Red Hat Fedora 12
Raven Software Star Trek Voyager: Elite Force 1.2
Raven Software Star Trek Voyager: Elite Force 1.1
Raven Software Star Trek Voyager: Elite Force 1.0
id Software Return to Castle Wolfenstein 1.41
id Software Quake 3 Engine 1.32 b
id Software Quake 3 Arena 1.32 b
id Software Return to Castle Wolfenstein 1.41b
id Software Quake 3 Arena 1.32c

- 不受影响的程序版本

id Software Return to Castle Wolfenstein 1.41b
id Software Quake 3 Arena 1.32c

- 漏洞讨论

The Quake 3 engine is susceptible to a remote information-disclosure vulnerability. Affected game servers fail to ensure that only appropriate files may be sent to remote users.

This issue allows remote attackers to gain access to the potentially sensitive contents of arbitrary files on the computer hosting vulnerable game servers. This occurs with the privileges of the targeted game server.

This vulnerability reportedly affects the following games:
- Quake 3 Arena
- Return to Castle Wolfenstein
- Star Trek Voyager: Elite Force

Other games may also be affected.

- 漏洞利用


Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

id Software has released patches to address this and other issues.


id Software Quake 3 Arena 1.32 b

id Software Return to Castle Wolfenstein 1.41

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站