###################################################################### Title: How to disconnect a Quake 3 engine client using a single spoofed packet of at least 4 bytes Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ###################################################################### 1) Introduction 2) Explanation 3) The Code ####################################################################### =============== 1) Introduction =============== This little paper wants to explain a quick method to stop the game of a Quake 3 client but moreover wants to demonstrate how a function that checks for possible data injection or errors in network packets can have the undesired effect to become a Denial of Service for the same program. Naturally this problem doesn't affect only Quake 3 but also all the other games based on its engine as Soldier of Fortune 2, Return to Castle Wolfenstein and all the other games. The only 3 requirements to start to disconnect clients are just the client IP address, the server IP address (but this is not a problem) and the ability to spoof packets (the better place to launch this attack is just in LANs so it is not a problem). Another requirement could be the client source port, but it is almost ever 27960. These requirements naturally limits the usage of this method but probably there are a lot of situations where it can be applied. For example a simple exploit can send a malformed packet to a specific range of IP addresses. The perfect usage of this method in fact is in LANs where there are Quake 3 players and usually the "boss" or the LAN's administrator don't want that they play this great game. The same thing can be done also by typical gamers to their friends if they know the range of IP addresses (or just the exact IP address in case of clients with fixed IP or for example also with NAT) of their friends and wanna have fun disconnecting them from the server 8-) Another possible usage (and probably the most dangerous) is in LAN parties where a malicious player can stop the game of all the other players in a second! ####################################################################### ============== 2) Explanation ============== As you have understood, the "attacker" must spoof an UDP packet using the client and the server IP addresses. The attacker doesn't need to know the Quake 3 protocol or the algorithm that encodes the packets... he must simply send a packet with some random data in it. In my tests, the better packet to cause the disconnection is: ff ff ff 7f A packet that contains this data should disconnect any client of any game based on the Quake 3 engine (however feel free to test other solutions) Those 4 bytes are the sequential packet number and this number is used to identify the correct sequence of the packets and probably also for security reasons to avoid data injection or the management of wrong data. However I have not debugged too much this problem only because I consider it something similar to a funny thing instead of a real bug. How happens the problem: The server sends the packet to the client and the client will exit immediately without an error message and moreover without to know why it is exited. ####################################################################### =========== 3) The Code =========== I have written a very simple exploit for this funny problem: http://aluigi.org/poc/q3noclient.zip #######################################################################