|
Quake3 Engine File Overwrite And Buffer Overflow Vulnerabilities
|
|
Secunia Advisory:
|
SA20401
|
|
|
Release Date:
|
2006-06-05
|
|
Last Update:
|
2006-07-04
|
|
Popularity:
|
7,477 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | Quake3 Engine 1.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2006-2875
CVE-2006-3324
CVE-2006-3325
|
|
Description:
Luigi Auriemma has reported some vulnerabilities in the Quake3 Engine, which can be exploited by malicious people to pass certain security restrictions, cause a DoS (Denial of Service) and potentially to compromise a user's system.
1) A boundary error exists within the "CL_ParseDownload()" function in "code/client/cl_parse.c" when handling the download commands received from the server. This can be exploited to cause a stack-based buffer overflow via a malicious "svc_download" command sent from the server.
Successful exploitation may allow arbitrary code execution but requires that e.g. the user is tricked into connecting to a malicious server.
2) An error exists within the Automatic Downloading functionality when handling filenames of PK3 files sent by the server. This can be exploited to overwrite arbitrary files within the folder specified by the "fs_homepath" cvar on the client, or to create new files with any extensions.
Successful exploitation requires that the Automatic Downloading functionality is enabled.
3) An error exists within the client when handling the list of cvar variables sent from a server. This can be exploit by a malicious server to overwrite the values of certain cvar variables configured on the client. This can be further exploited to e.g. enable the Automatic Downloading functionality on the client, or to overwrite the "fs_homepath" cvar, thus allowing the overwriting of arbitrary files on the system when used together with vulnerability #2.
The vulnerabilities have been reported in Quake III 1.32c. Other versions may also be affected.
Note: Other products based on the Quake3 engine may also be affected.
Solution:
Do not connect to untrusted game servers.
Provided and/or discovered by:
Luigi Auriemma
Changelog:
2006-06-08: Added CVE reference.
2006-06-28: Added information about additional vulnerabilities.
2006-07-04: Added CVE references.
Original Advisory:
http://aluigi.altervista.org/adv/q3cbof-adv.txt
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
