[LWN Logo]

Date:	Fri, 22 Jan 1999 19:48:26 +0100
From:	Patrick Oonk <patrick@PINE.NL>
Subject:      More Quake2 buffer overflows and nuisances
To:	BUGTRAQ@NETSPACE.ORG

This was forwarded to me by Roderick van Domburg,
Quake II admin at GamePoint (www.gamepoint.net)

----- Forwarded message from Roderick 'GoG' van Domburg -----

From gog@gamepoint.net  Fri Jan 22 19:40:42 1999
Message-ID: <001501be4637$08817500$0200000a@roderick>
From: "Roderick 'GoG' van Domburg" <gog@gamepoint.net>
To: <patrick@pine.nl>
Subject: Quake2 Buffer Overflows
Date: Fri, 22 Jan 1999 19:42:58 +0100
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3155.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3155.0

[Charset iso-8859-1 unsupported, filtering to ASCII...]
This information I collected not only from my own experiences, but with a
lot of help from the q2-serverlist and Kai Kenner "L-Fire" as well. With all
four of them a buffer overflow seems to be the issue.

The first two bugs reside in id's CTF 1.02 source code, on which basically
any CTF mod I can think of, save for LM CTF, is based on. From what I know,
L-Fire CTF 1.04 and the upcoming 3Team CTF 1.20 (will) have this fixed,
possibly others as well.

The first bug seems to have been discovered just recently and unfortunately
it's already public.  It's being circulated on IRC channels and is being
used to crash Quake2 servers. L-Fire's CTF server YYZ-1 was crashed twice
which is how we were first made aware of the bug.

Because it's a buffer overflow bug, some people have also been trying to
exploit it to violate system security.

A client can crash the server by doing a say_team chat with many say_team
macro expansions (using %L for example).  If someone does a say_team with 50
%L (say_team "%L%L%L%L%L%L%L%L%L%L%L%L%L%L%..."), the server will crash.

This bug is in the function CTFSay_Team (file g_ctf.c).  The function builds
a string by expanding the % macros, then it iterates through the clients and
sends the string to each client.  If the string is too big the server
crashes.

In the function Cmd_Say_f (file g_cmds.c), there is the following statement
and comment:

   // don't let text be too long for malicious reasons
   if (strlen(text) > 150)
      text[150] = 0;

Cmd_Say_f limits the chat text to 150 characters to avoid various problems.
CTFSay_Team does not restrict the chat text and this ultimately causes
problems.

You could of course also implement a sanity check, detecting any superfluous
chatmacros but that would involve a great deal of CPU usage that may not be
worth it.

Immediately before the for() loop at the end of CTFSay_Team, add the
following lines:

   *p = 0;

   if ( strlen(outmsg) > 150)       // new line added
      outmsg[150] = 0;              // new line added

   for (i = 0; i < maxclients->value; i++) {
      ...
   }


---------------------------------------------------------------------------

The second bug is more of a nuisance, but it won't cause the server to
crash.
A player can join a team and appear with the default male/grunt skin by
setting his skin to anything with two forward slashes.
For example, skin "a/b/c" or even skin "//".

This bug is in the function CTFAssignSkin (file g_ctf.c).  The line
   if ((p = strrchr(t, '/')) != NULL)
should be
   if ((p = strchr(t, '/')) != NULL)

---------------------------------------------------------------------------

Both of these bugs exist in the id CTF 1.02 source code and possibly earlier
versions.  Please do not make the details of these bugs public as it will
probably be a while before mods have been fixed and all servers have been
upgraded.

The other two security problems I have found using the Lithium II mod,
version 1.23 and likely previous versions as well.

Another issue seems only to bother the Linux version (again, 100% not sure
though). If you have two directories both containg the Lithium II 1.23 mod
(haven't tried previous versions), one being lithium and the other a random
other name, say, lithium_2 with gamedir set to lithium (because you want to
prevent clients from crashing when taking screenshots) and enable
administrator functions in the second directory, any user can gain
administrative access simply by entering 'admin' in the Quake2 console.

If this happens, the user is granted an extremely strange and high
adminlevel, often of 7 random digits. Disabling any of the admin functions
(including both admincode and adminpassword), restricting them to IP's or
limiting them to a low adminlevel does not have any effect, setting the
Quake2 server cvar adminlist to blank doesn't work either.

Only removing the admin.lst file in *both* directories prevents this
security error from occuring.

Roderick 'GoG' van Domburg  -  ICQ UIN 7798700
GamePoint Quake II & Windows NT Administrator

            - GamePoint - The Place to LPB! -
                     http://www.gamepoint.net


----- End of forwarded message from Roderick 'GoG' van Domburg -----

--
: Patrick Oonk -    http://patrick.mypage.org/  - patrick@pine.nl :
: Pine Internet B.V.           Consultancy, installatie en beheer :
: Tel: +31-70-3111010 - Fax: +31-70-3111011 - http://www.pine.nl/ :
: -- Pine Security Digest - http://security.pine.nl/ (Dutch) ---- :
: "unix is voor types zonder sociaal leven..." - Patrick van Eijk :