[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030527194316.5e819989.aluigi@DUMMY>
Date: Tue, 27 May 2003 19:43:16 +0000
From: Auriemma Luigi <aluigi@...x.com>
To: bugtraq@...urityfocus.com, vulnwatch@...nwatch.org,
full-disclosure@...ts.netsys.com, list@...ield.org
Subject: Exploit: Quake 3 engine, con\con and heartbeats (just for fun)
Well, the following problem is based on the very old con\con bug that
affects unpatched Windows95/98/98SE systems.
If you don't know it take a look here:
http://www.microsoft.com/technet/security/bulletin/MS00-017.asp.
I have decided to show this problem to the security community ONLY for 3
reasons:
- I think that it is a funny method to crash remote systems through an
original way: multiplayer games and an old famous system bug.
- Probably a great number of people don't know that exists a patch to fix
the con\con problem and, moreover, that exist this famous problem.
- I like a lot the exploit I have written and probably someone could find it
interesting for other tests on the Quake 3 engine 8-)
Quickly: some of the games based on the Quake 3 engine have a funny feature.
They display the image related to the current map played in a multiplayer
match.
First, they get the name of the map passed from the server in the "mapname"
parameter, add a .TGA or other image extensions to this name and finally try
to load and display it on the screen.
An example in C language for Quake 3 is the following:
#define Q3 "\xff\xff\xff\xff" \
"infoResponse\n" \
"\\punkbuster\\0" \
"\\pure\\1" \
"\\gametype\\0" \
"\\sv_maxclients\\8" \
"\\clients\\1" \
------> "\\mapname\\con/con" \
"\\hostname\\hostname" \
"\\protocol\\68" \
"\\challenge\\xxx"
I have personally tested some games based on the Quake 3 engine and the
vulnerables are:
- Quake 3 Arena 1.32
- Soldier of Fortune 2 1.03 GOLD
The games that I have tested and are NOT vulnerables are:
- Return to Castle Wolfenstein 1.41
- Medal of Honor: Allied Assault 1.11
ONLY the clients are vulnerables to this problem.
EXPLOIT FOR QUAKE 3 + HEARTBEAT EMULATOR
----------------------------------------
I have written an exploit that emulates a Quake 3 server and sends the
con\con mapname.
It can be compiled on both Unix and Windows and it also sends a heartbeat
packet to the Quake 3 Masterserver (you can disable this feature adding a 0
after the executable name when you launch it).
The heartbeat is the method used by game servers for be included in the
pubblic servers list that is owned by ID-Software.
That mean that the exploit will receive queries from all the Quake 3 clients
in the world and it will send the con/con mapname back to them:
http://www.pivx.com/luigi/poc/q3concon.zip
The official patch for the con\con problem (year 2000) can be found here:
http://www.microsoft.com/technet/security/bulletin/MS00-017.asp
BYEZ
---
PivX Bug Researcher
http://www.pivx.com/luigi/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists