lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <4F7044E0.1000202@debian.org>
Date: Mon, 26 Mar 2012 11:28:48 +0100
From: Simon McVittie <smcv@...ian.org>
To: bugtraq@...urityfocus.com
Subject: Traffic amplification via Quake 3-based servers

It has been discovered that spoofed "getstatus" UDP requests are being
used by attackers[0][1][2][3] to direct status responses from multiple
Quake 3-based servers to a victim, as a traffic amplification mechanism
for a denial of service attack on that victim.

Open-source games derived from the Quake 3 engine are typically based on
ioquake3 [4], a popular fork of that engine. This vulnerability was
fixed in ioquake3 svn revision 1762 (January 2010) [5] by applying a
rate-limit to the getstatus request. Like several other known and fixed
vulnerabilities, it is not fixed in the latest official ioquake3 release
(1.36, April 2009).

If a CVE ID is allocated for this vulnerability, please reference
ioquake3 r1762 prominently in any advisory.

Fixed versions of various open-source games based on Quake III Arena,
mostly based on visual inspection of their source code:

* ioquake3 svn >= r1762
* OpenArena >= 0.8.8
* OpenArena engine snapshot >= 0.8.x-20
* World of Padman >= 1.5.4
* Tremulous svn trunk >= r1953
* Tremulous svn, gpp branch >= r1955
* Smokin' Guns >= 1.1b4
* Smokin' Guns svn 1.1 branch >= r472

Vulnerable older versions include:

* ioquake3 engine 1.36
* OpenArena 0.8.5
* World of Padman 1.5
* Tremulous 1.1.0
* Tremulous Gameplay Preview 1 (GPP1)
* Smokin' Guns svn trunk at the time of writing (r181)

Proprietary games based on the Quake 3 engine (Quake III Arena
when played using its official engine, Star Wars: Jedi Outcast and Jedi
Academy, Star Trek: Elite Force 1 & 2, etc.) are also likely to be
vulnerable.

Proprietary games being run under the ioquake3 engine (Quake III Arena
when using ioquake3, Urban Terror when using ioUrbanTerror, etc.) may be
vulnerable or not vulnerable, depending on the version of ioquake3 used.

[0]
http://lists.ioquake.org/pipermail/ioquake3-ioquake.org/2012-January/004778.html
[1] http://openarena.ws/board/index.php?topic=4391.0
[2] http://www.urbanterror.info/forums/topic/27825-drdos/
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665656
[4] http://ioquake3.org/
[5] http://icculus.org/pipermail/quake3-commits/2010-January/001679.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ