Date: 27 May 2003 Well, the following problem is based on the very old con\con bug that affects unpatched Windows95/98/98SE systems. If you don't know it take a look here: http://www.microsoft.com/technet/security/bulletin/MS00-017.asp. I have decided to show this problem to the security community ONLY for 3 reasons: - I think that it is a funny method to crash remote systems through an original way: multiplayer games and an old famous system bug. - Probably a great number of people don't know that exists a patch to fix the con\con problem and, moreover, that exist this famous problem. - I like a lot the exploit I have written and probably someone could find it interesting for other tests 8-) Quickly: some of the games based on the Quake 3 engine have a funny feature. They display the image related to the current map played in a multiplayer match. First, they get the name of the map passed from the server in the "mapname" parameter, add a .TGA or other image extensions to this name and finally try to load and display it on the screen. An example in C language for Quake 3 is the following: #define Q3 "\xff\xff\xff\xff" \ "infoResponse\n" \ "\\punkbuster\\0" \ "\\pure\\1" \ "\\gametype\\0" \ "\\sv_maxclients\\8" \ "\\clients\\1" \ ------> "\\mapname\\con/con" \ "\\hostname\\hostname" \ "\\protocol\\68" \ "\\challenge\\xxx" I have personally tested some games based on the Quake 3 engine and the vulnerables are: - Quake 3 Arena 1.32 - Soldier of Fortune 2 1.03 GOLD The games that I have tested and are NOT vulnerables are: - Return to Castle Wolfenstein 1.41 - Medal of Honor: Allied Assault 1.11 ONLY the clients are vulnerables to this problem. EXPLOIT FOR QUAKE 3 + HEARTBEAT EMULATOR ---------------------------------------- I have written an exploit that emulates a Quake 3 server and sends the con\con mapname. It can be compiled on both Unix and Windows and it also sends a heartbeat packet to the Quake 3 Masterserver (you can disable this feature adding a 0 after the executable name when you launch it). The heartbeat is the method used by game servers for be included in the public servers list that is owned by ID-Software. That mean that the exploit will receive queries from all the Quake 3 clients in the world and it will send the con/con mapname back to them: http://aluigi.org/poc/q3concon.zip The official patch for the con\con problem (year 2000) can be found here: http://www.microsoft.com/technet/security/bulletin/MS00-017.asp BYEZ