####################################################################### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com Games: - Call of Duty <= 1.5b - Call of Duty: United Offensive <= 1.51b - Heavy Metal: F.A.K.K.2 <= 1.02 - Quake III Arena <= 1.32c - Return to Castle Wolfenstein <= 1.41b - Soldier of Fortune II: Double Helix <= 1.03 - Star Trek Voyager: Elite Force <= 1.20 - Star Trek: Elite Force II <= 1.10 - Star Wars Jedi Knight II: Jedi Outcast <= 1.04 - Star Wars Jedi Knight: Jedi Academy <= 1.011 - Wolfenstein: Enemy Territory <= 1.02 / 2.56 ...possibly others Platforms: Windows, Linux and Mac Bug: crash or shutdown caused by incorrect handling of big queries Exploitation: remote, versus server Date: 12 Feb 2005 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Quake 3 engine is the well known game engine developed by ID Software (http://www.idsoftware.com) and is used by many games. Some months ago I reported similar problems in three games based on this engine: Medal of Honor, Call of Duty and Soldier of Fortune II. Except for Medal of Honor that is affected by a specific buffer overflow, the other two games can be "probably" included in this advisory too but I'm not totally sure. ####################################################################### ====== 2) Bug ====== The Quake 3 engine has problems to handle big queries allowing an attacker to shutdown any game server based on this engine: ERROR: Info_SetValueForKey: oversize infostring In some of the vulnerable games is also possible to crash the server. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/q3infoboom.zip A simple scanner for testing any game based on the Quake 3 engine. ####################################################################### ====== 4) Fix ====== Only the two Linux versions Call of Duty games have been fixed with the 1.5b and 1.51b patches, while all the others are still vulnerable (included the Windows version of Call of Duty!). I have released an universal patcher that limits the amount of handled data in the queries from 1023 to 512 solving the problem in any game: http://aluigi.org/patches/q3infofix.lpatch #######################################################################