Date: Tue, 4 Feb 2003 11:49:40 +0100
From: Thilo Schulz <arny@ats.s.bawue.de>
To: bugtraq@securityfocus.com
Subject: Quake3 engine autodownload issues.
Hello,
The Quake3 Engine's feature for automatically downloading modifications f=
rom=20
the server to the client bears great potential of abuse and could even le=
ad=20
to execution of arbitrary code. Because this is quake3 engine related man=
y=20
games aside from quake3 suffer from the same problem as well.
First a few lines to explain the background:
In Quake3 engine games (at least those who haven't been modified too heav=
ily=20
by the developer who came to license the engine) all game data files, map=
s,=20
textures, models, sounds etc. are contained by to .pk3 suffixed=20
ZIP-compressed archives.
Modifications as well, with files for the virtual machine that determines=
the=20
bahaviour of the engine.
If a player joins this server, the server requests checksums for various=20
=2Epk3's that are in use on the server and of the game itself from the cl=
ient,=20
to validate that the client has not messed around with certain files to=20
enable the possibility of cheating (Aimbots for example).
On the other hand, if the server is right now playing a map and the clien=
t=20
connecting to the server does not have this map, this client starts, if a=
ll=20
permissions are set to default, automatically downloading the .pk3 file t=
hat=20
contains the map files with its textures and all it needs to play this ma=
p.
The same goes for modifications. In order to allow automatically download=
ing,=20
the server and the client need to have the variable cl_allowdownload set =
to=20
1. This is the default in most games.
So here we are at the first possibility of abuse:
The Server administrator can load modifications on his server, that are v=
ery=20
small in file size. When the client connects to this server, it will star=
t=20
automatically downloading this modification, which will be very short due=
to=20
small size, this is why the user is most likely to ignore it. The=20
administrator may have set this mod on the server this way, that he can=20
enable cheating on this server while other people can not. This possibili=
ty=20
is already known and was only mentioned for the sake of completeness.
Secondly, certain files may break the starting of the game. I have found =
an=20
example for the game Star Trek Voyager: Elite Force, where if you downloa=
d=20
the .pk3 file for a multiplayer map, the single player will not start up=20
anymore and lots of garbish appearing in the start-up console. Here is a =
link=20
to the file:
http://www.hazardteam.de/downloads-file.html?type=3Dmaps&id=3D104
The author of this map certainly did not intend this to happen, someone w=
ith=20
malicious intends is no doubtedly possible to modify the content and redu=
ce=20
the size of the file reasonably to have the same effect, depending on the=
=20
game.
Thirdly: We do not know which bugs lurk in the deepness of the closed sou=
rce=20
of the games. These games are complex - the engine needs to load the maps=
=20
correctly and display them, also game developers add powerful script=20
interpreters to make it possible to script events in single player missio=
ns.=20
These bugs cannot all be found and fixed in time, the potential if a bug =
was=20
found in one of these games would be enormous. Just think about the thous=
ands=20
of clients that have this automatical downloading enabled. The file at th=
e=20
top is an example how by a simple coincidence a way was found to make the=
=20
game crash before it even started up.
This is why I have written this report. The only advice I can give is not=
to=20
make the same mistake microsoft did with its outlook and enable various=20
things by default that makes it 10x easier to start any exploits without =
the=20
user wanting to do so.
All users should set the variable cl_allowdownload in all .cfg files in t=
he=20
quake3 directory to '0' , and not download maps / modifications from=20
untrusted sources, also Game developers should disable this by default. I=
f=20
this is enabled, an unsuspecting user downloads on connect whatever the=20
server administrator intends to.
I have checked various games, obviously some game developers have already=
=20
recognized this threat.
Games I have found vulnerable:
Ravensoft's Star Trek Voyager: EliteForce
Medal of Honour: Allied Assault
Medal of Honour: Spearhead
The id guys seem to have done a better job, it seems that in the latest p=
oint=20
release cl_allowdownload was set to '0' by default.
I have only limited time for research, I do not doubt that alot more game=
s=20
than these (where the MOHAA has got a solid user base) have automatically=
=20
download on by default.
I would like to annotate, that generally the unreal tournament engine fam=
ily=20
also has the autodownload feature. I am not familiar with this type of=20
engines, yet it bears the same potential of abuse.
- Thilo Schulz
