|发布时间 :2006-06-30 19:05:00|
|修订时间 :2011-03-07 21:38:21|
[原文]The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of filenames, as contained in the neededpaks buffer.
[CNNVD]id3 Quake 3 Engine/Icculus Quake 3 Engine "自动下载"选项 输入验证漏洞(CNNVD-200606-615)
id3 Quake 3 Engine和Icculus Quake 3 Engine (ioquake3) 804修订版之前版本中的"自动下载"选项，可让远程攻击者通过包含在neededpaks缓冲区中的长文件名字符串，可让远程攻击者覆盖quake3目录(fs_homepath cvar)中的任意文件。
- CVSS (基础分值)
- CPE (受影响的平台与产品)
- OVAL (用于检测的技术细节)
(UNKNOWN) VUPEN ADV-2006-2569
(UNKNOWN) BID 18685
(UNKNOWN) BUGTRAQ 20060628 Re: Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
(UNKNOWN) BUGTRAQ 20060627 Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
(UNKNOWN) CONFIRM http://svn.icculus.org/quake3?rev=804&view=rev
(VENDOR_ADVISORY) SECUNIA 20851
(VENDOR_ADVISORY) SECUNIA 20401
(UNKNOWN) MISC http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
(UNKNOWN) XF quake3-cvar-file-overwrite(27486)
(UNKNOWN) SREASON 1171
|id3 Quake 3 Engine/Icculus Quake 3 Engine "自动下载"选项 输入验证漏洞|
|2006-06-30 00:00:00||2006-07-03 00:00:00|
|id3 Quake 3 Engine和Icculus Quake 3 Engine (ioquake3) 804修订版之前版本中的"自动下载"选项，可让远程攻击者通过包含在neededpaks缓冲区中的长文件名字符串，可让远程攻击者覆盖quake3目录(fs_homepath cvar)中的任意文件。|
- 漏洞信息 (F110095)
|Tremulous Inherited Issues (PacketStormID:F110095)|
Tremulous, a team based FPS game with RTS elements, suffers from a large amount of old Quake related vulnerabilities.
Background ========== Tremulous is a team-based FPS game with RTS elements. Its engine and game logic are based on the GPL source release of the Quake III Arena engine and game logic by id Software. The de facto upstream developer of the Quake III engine is now another fork, ioquake3; in particular, ioquake3 fixes many security vulnerabilities present in the original Quake III Arena source release. Unlike (for instance) OpenArena or Urban Terror, Tremulous has diverged from the original Quake III Arena engine, so it cannot be played using an unmodified ioquake3 engine. The Tremulous website advertises two versions of the game: * 1.1.0, a stable release (released 2006-03-31). This is packaged in Debian/Ubuntu stable releases, and also appears to be packaged in FreeBSD, openSUSE and Gentoo. * GPP1 ("Gameplay Preview 1"), a preview release (2009-12-03) of what will eventually become Tremulous 1.2. This appears to be packaged in Fedora stable releases. In addition, there are several unofficial engine updates compatible with 1.1.0, notably a backport by Tony White (TJW), and a set of updated client and server provided by Mercenaries' Guild. These are not publicized by the main Tremulous website, but they are apparently popular with players, and their functionality has been incorporated into version 1.2 development. Vulnerabilities =============== Numerous security vulnerabilities have been reported and fixed in ioquake3 since its initial release. Neither Tremulous 1.1.0 nor GPP1 incorporates fixes for all of these vulnerabilities. I believe this table is more or less accurate, but I have only checked Tremulous 1.1.0 in detail. If you ship one of the other versions, you will need to do your own checks. Trem-1.1.0 MGC-1.011 MGS-1.01 tjw Trem-GPP1 CVE-2001-1289 OK OK OK OK OK CVE-2005-0430 OK OK OK OK OK CVE-2005-0983 OK OK OK OK OK CVE-2006-2082 Vuln n/a ? Vuln OK CVE-2006-2236 Vuln OK n/a OK OK CVE-2006-2875 Vuln OK n/a OK OK CVE-2006-3324 Vuln OK n/a Vuln OK CVE-2006-3325 Vuln OK n/a Vuln OK CVE-2006-3400 OK OK OK OK OK CVE-2006-3401 OK OK OK OK OK CVE-2011-1412 OK OK OK OK OK CVE-2011-2674 Vuln Vuln n/a Vuln Vuln CVE-2011-3012 Vuln OK n/a Vuln OK (For completeness, the table lists all CVE IDs I've found listed for either Quake III Arena or ioquake3.) Key: Trem-1.1.0 = Tremulous 1.1.0 (2006-03-31) MGC-1.011 = MercenariesGuild client 1.011 when used as a client MGS-1.01 = MercenariesGuild server 1.01 when used as a server tjw = http://tremulous.tjw.org/backport/ Trem-GPP1 = Tremulous Gameplay Preview 1 (1.2 prerelease, 2009-12-03) Vuln = vulnerable partial = partial fix, probably still vulnerable n/a = server-specific bug not applicable to client or vice versa In addition, searching ioquake3 commit history reveals a number of commits which do not appear to be related to a CVE number, but could be security-sensitive. I have not analyzed which of these could affect the Tremulous engine. If you cause a new CVE number to be assigned for any changes made to ioquake3 in the past (as was done for CVE-2011-3012), please include a prominent reference to the relevant svn revision in any advisory, so that CVE numbers can be correlated with the changes required. Finally, to the best of my knowledge, ioquake3 upstream do not consider the QVM bytecode interpreter to be safe for use with untrusted bytecode; this means that auto-downloading (cl_allowDownload 1) is not considered to be safe under any circumstances. This is particularly the case for engines which do not have the interpreter/JIT hardening work that was done in ioquake3 at svn revisions around 1687, 1717 and 2000, none of which is present in at least Tremulous 1.1.0. Response ======== I have not received any response from Tremulous developers since I contacted them privately 1 month ago. Distributions like Debian, Fedora and Ubuntu should either fix the open vulnerabilities, or remove affected Tremulous versions from their repositories entirely. I have uploaded tremulous 1.1.0-7 to Debian, with backports of the various CVE fixes from ioquake3, and some additional pre-emptive changes for potential bugs which are not known to be exploitable (avoiding non-constant format strings and sprintf() into a fixed-length buffer). Patches which I believe to be correct are available at <http://anonscm.debian.org/gitweb/?p=pkg-games/tremulous.git;a=tree;f=debian/patches> or by cloning the git repository <git://anonscm.debian.org/pkg-games/tremulous.git>. Please contact me via the Debian bug tracking system or the Games Team mailing list <email@example.com> with testing results or corrections for these patches. I believe that long-term-supported distributions should also mitigate any future vulnerabilities in the ioquake3 bytecode interpreter by removing client-side support for auto-downloading (always behaving as if configured with cl_allowDownload 0) in their stable releases. I have made this change in Debian's tremulous 1.1.0-7 package, but not yet in Debian's ioquake3 package. Regards, S
|Multiple Vendor Quake 3 Engine Automatic Downloading Option Arbitrary File Overwrite|
|Exploit Public||Vendor Verified|
Unknown or Incomplete
Unknown or Incomplete
|Unknown or Incomplete|
|Quake 3 Multiple Vulnerabilities|
|2006-06-27 12:00:00||2010-05-17 06:52:00|
|Luigi Auriemma is credited with the discovery of these vulnerabilities.|
|Red Hat Fedora 13
Red Hat Fedora 12
id Software Quake 3 Engine (Icculus Version) 804
id Software Quake 3 Engine (Icculus Version) 803
id Software Quake 3 Engine 1.32 c
id Software Quake 3 Engine 1.32 b
|Quake 3 is prone to vulnerabilities that may allow attackers to access and steal privileged data. These issues are due to a design error and to a failure in the application to properly sanitize user-supplied input.
An attacker can exploit these issues to overwrite other game player files with arbitrary data and to gain access to potentially sensitive information. This will result in a loss of data and possibly a loss of confidentiality.
Attackers can exploit this issue with a modified version of the Quake source code.
A sample patch file to demonstrate this vulnerability has been provided:
The vendor has fixed the "Automatic Downloading" vulnerability in Icculus Quake 3 Version 803; please see the reference section for details.