Secunia

Luigi Auriemma has reported some vulnerabilities in the Quake3 Engine, which can be exploited by malicious people to pass certain security restrictions, cause a DoS (Denial of Service) and potentially to compromise a user's system.

1) A boundary error exists within the "CL_ParseDownload()" function in "code/client/cl_parse.c" when handling the download commands received from the server. This can be exploited to cause a stack-based buffer overflow via a malicious "svc_download" command sent from the server.

Successful exploitation may allow arbitrary code execution but requires that e.g. the user is tricked into connecting to a malicious server.

2) An error exists within the Automatic Downloading functionality when handling filenames of PK3 files sent by the server. This can be exploited to overwrite arbitrary files within the folder specified by the "fs_homepath" cvar on the client, or to create new files with any extensions.

Successful exploitation requires that the Automatic Downloading functionality is enabled.

3) An error exists within the client when handling the list of cvar variables sent from a server. This can be exploit by a malicious server to overwrite the values of certain cvar variables configured on the client. This can be further exploited to e.g. enable the Automatic Downloading functionality on the client, or to overwrite the "fs_homepath" cvar, thus allowing the overwriting of arbitrary files on the system when used together with vulnerability #2.

The vulnerabilities have been reported in Quake III 1.32c. Other versions may also be affected.

Note: Other products based on the Quake3 engine may also be affected.

Solution
Do not connect to untrusted game servers.

Provided and/or discovered by
Luigi Auriemma

Changelog
Further details available in Customer Area

Original Advisory
http://aluigi.altervista.org/adv/q3cbof-adv.txt
http://aluigi.altervista.org/adv/q3cfilevar-adv.txt

Deep Links
Links available in Customer Area