|
 |
|
Quake3 Engine File Overwrite And Buffer Overflow Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA20401
|
|
|
Release Date:
|
2006-06-05
|
|
Last Update:
|
2006-07-04
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Security Bypass
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Unpatched
|
|
| Software: | Quake3 Engine 1.x
|
| | CVE reference: | CVE-2006-2875 (Secunia mirror)
CVE-2006-3324 (Secunia mirror)
CVE-2006-3325 (Secunia mirror)
|
|
|
This advisory is currently marked as unpatched!
- Companies can be alerted when a patch is released! |
|
|
Description:
Luigi Auriemma has reported some vulnerabilities in the Quake3 Engine, which can be exploited by malicious people to pass certain security restrictions, cause a DoS (Denial of Service) and potentially to compromise a user's system.
1) A boundary error exists within the "CL_ParseDownload()" function in "code/client/cl_parse.c" when handling the download commands received from the server. This can be exploited to cause a stack-based buffer overflow via a malicious "svc_download" command sent from the server.
Successful exploitation may allow arbitrary code execution but requires that e.g. the user is tricked into connecting to a malicious server.
2) An error exists within the Automatic Downloading functionality when handling filenames of PK3 files sent by the server. This can be exploited to overwrite arbitrary files within the folder specified by the "fs_homepath" cvar on the client, or to create new files with any extensions.
Successful exploitation requires that the Automatic Downloading functionality is enabled.
3) An error exists within the client when handling the list of cvar variables sent from a server. This can be exploit by a malicious server to overwrite the values of certain cvar variables configured on the client. This can be further exploited to e.g. enable the Automatic Downloading functionality on the client, or to overwrite the "fs_homepath" cvar, thus allowing the overwriting of arbitrary files on the system when used together with vulnerability #2.
The vulnerabilities have been reported in Quake III 1.32c. Other versions may also be affected.
Note: Other products based on the Quake3 engine may also be affected.
Solution:
Do not connect to untrusted game servers.
Provided and/or discovered by:
Luigi Auriemma
Changelog:
2006-06-08: Added CVE reference.
2006-06-28: Added information about additional vulnerabilities.
2006-07-04: Added CVE references.
Original Advisory:
http://aluigi.altervista.org/adv/q3cbof-adv.txt
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
4 Related Secunia Security Advisories
|
|
|
1. Quake 3 Buffer Overflow Vulnerabilities
|
|
2. Quake3 Engine "remapShader" Buffer Overflow and Directory Traversal
|
|
3. Quake3 Engine Denial of Service Vulnerability
|
|
4. Quake3 Engine Query Handling Denial of Service Vulnerability
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
|
|
Secunia PSI
Scan | Patch | Track
Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|
