####################################################################### Luigi Auriemma Application: Quake 3 engine http://www.idsoftware.com Vulnerables: - Call of Duty <= 1.5 - Call of Duty: United Offensive <= 1.51 - Quake III Arena <= 1.32 - Return to Castle Wolfenstein <= 1.41 - Soldier of Fortune II: Double Helix <= 1.03 - Star Wars Jedi Knight II: Jedi Outcast <= 1.04 - Star Wars Jedi Knight: Jedi Academy <= 1.0.1.0 - Wolfenstein: Enemy Territory <= 1.02 / 2.56 ... possibly others "Seem" safe: - Medal of Honor: Allied Assault (no effects) - Medal of Honor: Breakthrough - Medal of Honor: Spearhead - Star Trek Voyager: Elite Force (attacker only) - Star Trek: Elite Force II (attacker crash only) - Wolfenstein: Enemy Territory 2.60 (patched) Platforms: Windows, Linux and Mac Bug: bad handling of big commands/messages Exploitation: remote, versus clients (in-game) Date: 02 Apr 2005 Author: unknown, the bug has been reported to me by an admin of the game Return of Castle Wolfenstein Advisory: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== The Quake 3 engine is the well known game engine developed by ID Software (http://www.idsoftware.com) and is used by many games. ####################################################################### ====== 2) Bug ====== This problem is enough known in the community of the Return to Castle Wolfenstein and Enemy Territory games from many time (over one year), and this second one is currently the only game to have an official patch released just some weeks ago. An interesting explanation of this bug and a method to fix it modifying the source code of the vulnerable games (SDK) is available here: http://bani.anime.net/banimod/forums/viewtopic.php?p=27322 In short the problem is in how the engine handles the commands longer than 1022 chars, in fact they are automatically truncated at that size and the rest of the chars is handled as network data confusing the engine. If an attacker joins a server and sends a too big message any client in the server will automatically disconnect showing the "CL_ParseServerMessage: Illegible server message" error. In some games or some of their older versions could happen also a server crash, that's not caused by this bug but by other problems explained in the following advisories: http://aluigi.org/adv/jamsgbof-adv.txt http://aluigi.org/adv/codmsgboom-adv.txt Only in Soldier of Fortune II happens a clients crash instead of the simple disconnection but the game supports only the vsay_team command and so only the players in the same team of the attacker will be crashed. The problem is in-game so the attacker must have access to the server, if it is protected by password and he doesn't know the keyword or his IP/guid has been banned he cannot exploit the bug. ####################################################################### =========== 3) The Code =========== - download the following file: http://aluigi.org/poc/q3msgboom.cfg - place it in the base folder of your game (like baseq3, etmain, main, base and so on) - start a client and a server or, if possible, more clients to test better the effects of the bug - join the server - go into the console of a client (~ key or shift + ~) - type: /exec q3msgboom - any client in the server will disconnect immediately. If nothing happens or the vsay command is not supported, modify the q3msgboom.cfg file using other commands like say or vsay_team. Jedi Knight II needs that the script is executed some times before seeing the effects. ####################################################################### ====== 4) Fix ====== Currently only Enemy Territory 2.60 is officially fixed. I have tried many times in these last weeks to find an universal way to fix the bug but I had no luck, in fact the method suggested by Banimod (http://bani.anime.net/banimod/forums/viewtopic.php?p=27322) is ok but requires the recompilation of the SDK (where available). Anyway the function to modify is located in the "game" code (the name of a specific portion of the engine) that some games have built as a DLL while others as a QVM file (harder to fix and zipped in the pk3 packages) and then the binary pattern of the function changes a lot from game to game moreover because changes the G_SEND_SERVER_COMMAND value, so a binary fix based on the previously metioned patch is not possible. #######################################################################