COMMAND
Quake3Arena Auto-Download Feature
SYSTEMS AFFECTED
Quake III
PROBLEM
Following is based on Internet Security Systems Security Advisory.
Internet Security Systems (ISS) has identified a vulnerability in
id Software's Quake3Arena that could allow an attacker to read
or write files on a computer that has the software installed.
This vulnerability is important to network administrators who may
be unaware that users are accessing potentially malicious
Quake3Arena servers outside their network.
The environment for Quake3Arena allows client-side modification
to read and write files for purposes such as configuration.
Modifications run in a protected environment similar to the Java
virtual machine but proprietary to id Software. The file access
routines in this environment are limited to files installed in
the directory where the modification is installed. Modifications
are located in subdirectories under the Quake3Arena installation
directory. It is possible to open files in directories above the
modifications directory allowing an attacker to open any file on
the same drive.
Combining the ability to access files with the automatic download
feature that was added to Quake3Arena in the 1.16 update on March
15, 2000, this vulnerability could be used by an attacker to
execute malicious code on any system that connects to a
Quake3Arena server. This vulnerability allows an attacker to
have read or write access to a Quake3Arena user's filesystem when
the user connects to a server run by the attacker. This could
allow attackers to install Trojan horse programs, gather
passwords, and read or write files.
Affected versions is Quake3Arena version 1.16 for Windows that
allows read or write access to files and allows code to be
automatically downloaded to the user's system for the purpose of
manipulating files.
So, a programming Software Developers Kit (SDK) for Quake3Arena
is supplied by id Software along with source code to a major
portion of the program logic. The SDK is intended to encourage
the development of modifications and enhancements to the program.
Within the source code for the client side portion of the program,
a number of predefined functions can be called by game
modifications. A majority of these functions manipulate data
within the game itself and pose no danger to the system on which
the software is running.
However, four of these functions allow read or write access to the
filesystem. The read functions can read files stored on the
filesystem as well as data compressed within the PKZIP-compatible
.PK3 files. The write functions only write to files directly on
the filesystem. Opening files requires a relative path, resulting
in access only to files that reside in the subdirectory where the
modification has been installed or packed inside the .PK3 files of
that directory.
The routines used to open files do not remove ".." from file
specifications before the file is opened. An attempt to do so
will result in the following error message:
"WARNING: refusing to create reletive path "C:\etc\etc\etc"
The bug in the implementation opens the file despite the above
error message. It is possible for the end user of the product to
miss the error message since status and error messages are
written to the Quake3Arena 'console', which is normally not
visible within the program unless the user presses a special key.
This bug combined with the automatic downloading feature in
version 1.16 could be used to mount an attack.
This vulnerability was researched and discovered by Tim Farley of
the ISS X-Force.
SOLUTION
Operators of Quake3Arena servers are not vulnerable to attack.
However, before installing a modification and enabling automatic
downloading on a server, the server administrator should verify
the source of the modification to be sure a Trojan horse program
has not been installed.
Users of Quake3Arena should disable the auto download feature to
prevent this attack. This is done by choosing SETUP from the main
menu, followed by GAME OPTIONS. On the list that appears, make
sure "Automatic Downloading" is set to OFF. If Automatic
Downloading is turned on, you will be warned as files are
downloaded to your system.
If a user chooses to manually install game modifications to the
client, carefully check the modifications for Trojan horse
programs. If the modification includes any .QVM files in the
package, it could be used to mount an attack as described in this
advisory. Any Quake3Arena modification which uses .DLL files
should be examined carefully before installation. These
modifications do not have the same security safeguards as the
virtual environment. Also, be aware that the .PK3 files that are
often distributed are PKZIP format files, and could contain
within them trojaned .QVM files. Use a PKZIP compatible utility
to examine any .PK3 files you receive as part of a Quake3Arena
modification.
Network administrators who wish to prevent Quake3Arena users from
accessing potentially malicious servers outside their network may
do so with firewall rules. Quake3Arena servers normally operate
on UDP port 27960, but can be configured to run on other port
numbers. Since port 27960 is not exclusively registered for the
use of Quake3Arena, blocking this port might affect other
applications that could arbitrarily choose this port number.
Another approach would be to block outbound access to the
following specific address from your network via UDP:
authorize.quake3arena.com:27952
Currently this address resolves to 192.246.40.56:27952, but it
could be spread across multiple IP addresses in the future.
This address is used for authentication/copy protection features
within Quake3Arena. Clients who cannot send and receive packets
to this address over the Internet will not be able to access
Internet-based Quake3Arena servers.
It is recommended by id Software that all server operators and end
users upgrade to the 1.17 point release as soon as possible. The
1.17 point release is available at:
http://www.quake3arena.com/
http://www.planetquake.com/
http://www.quake3world.com/
The network protocol was upgraded from prior versions to help
facilitate a rapid transition to the new code base. This means
that 1.17 will not communicate with prior versions of Quake3Arena.