The Quake3 Engine's feature for automatically downloading modifications from
the server to the client bears great potential of abuse and could even lead
to execution of arbitrary code. Because this is quake3 engine related many
games aside from quake3 suffer from the same problem as well.
First a few lines to explain the background:
In Quake3 engine games (at least those who haven't been modified too heavily
by the developer who came to license the engine) all game data files, maps,
textures, models, sounds etc. are contained by to .pk3 suffixed
ZIP-compressed archives.
Modifications as well, with files for the virtual machine that determines the
bahaviour of the engine.
If a player joins this server, the server requests checksums for various
.pk3's that are in use on the server and of the game itself from the client,
to validate that the client has not messed around with certain files to
enable the possibility of cheating (Aimbots for example).
On the other hand, if the server is right now playing a map and the client
connecting to the server does not have this map, this client starts, if all
permissions are set to default, automatically downloading the .pk3 file that
contains the map files with its textures and all it needs to play this map.
The same goes for modifications. In order to allow automatically downloading,
the server and the client need to have the variable cl_allowdownload set to
1. This is the default in most games.
So here we are at the first possibility of abuse:
The Server administrator can load modifications on his server, that are very
small in file size. When the client connects to this server, it will start
automatically downloading this modification, which will be very short due to
small size, this is why the user is most likely to ignore it. The
administrator may have set this mod on the server this way, that he can
enable cheating on this server while other people can not. This possibility
is already known and was only mentioned for the sake of completeness.
Secondly, certain files may break the starting of the game. I have found an
example for the game Star Trek Voyager: Elite Force, where if you download
the .pk3 file for a multiplayer map, the single player will not start up
anymore and lots of garbish appearing in the start-up console. Here is a link
to the file:
The author of this map certainly did not intend this to happen, someone with
malicious intends is no doubtedly possible to modify the content and reduce
the size of the file reasonably to have the same effect, depending on the
game.
Thirdly: We do not know which bugs lurk in the deepness of the closed source
of the games. These games are complex - the engine needs to load the maps
correctly and display them, also game developers add powerful script
interpreters to make it possible to script events in single player missions.
These bugs cannot all be found and fixed in time, the potential if a bug was
found in one of these games would be enormous. Just think about the thousands
of clients that have this automatical downloading enabled. The file at the
top is an example how by a simple coincidence a way was found to make the
game crash before it even started up.
This is why I have written this report. The only advice I can give is not to
make the same mistake microsoft did with its outlook and enable various
things by default that makes it 10x easier to start any exploits without the
user wanting to do so.
All users should set the variable cl_allowdownload in all .cfg files in the
quake3 directory to '0' , and not download maps / modifications from
untrusted sources, also Game developers should disable this by default. If
this is enabled, an unsuspecting user downloads on connect whatever the
server administrator intends to.
I have checked various games, obviously some game developers have already
recognized this threat.
Games I have found vulnerable:
Ravensoft's Star Trek Voyager: EliteForce
Medal of Honour: Allied Assault
Medal of Honour: Spearhead
The id guys seem to have done a better job, it seems that in the latest point
release cl_allowdownload was set to '0' by default.
I have only limited time for research, I do not doubt that alot more games
than these (where the MOHAA has got a solid user base) have automatically
download on by default.
I would like to annotate, that generally the unreal tournament engine family
also has the autodownload feature. I am not familiar with this type of
engines, yet it bears the same potential of abuse.
The Quake3 Engine's feature for automatically downloading modifications from
the server to the client bears great potential of abuse and could even lead
to execution of arbitrary code. Because this is quake3 engine related many
games aside from quake3 suffer from the same problem as well.
First a few lines to explain the background:
In Quake3 engine games (at least those who haven't been modified too heavily
by the developer who came to license the engine) all game data files, maps,
textures, models, sounds etc. are contained by to .pk3 suffixed
ZIP-compressed archives.
Modifications as well, with files for the virtual machine that determines the
bahaviour of the engine.
If a player joins this server, the server requests checksums for various
.pk3's that are in use on the server and of the game itself from the client,
to validate that the client has not messed around with certain files to
enable the possibility of cheating (Aimbots for example).
On the other hand, if the server is right now playing a map and the client
connecting to the server does not have this map, this client starts, if all
permissions are set to default, automatically downloading the .pk3 file that
contains the map files with its textures and all it needs to play this map.
The same goes for modifications. In order to allow automatically downloading,
the server and the client need to have the variable cl_allowdownload set to
1. This is the default in most games.
So here we are at the first possibility of abuse:
The Server administrator can load modifications on his server, that are very
small in file size. When the client connects to this server, it will start
automatically downloading this modification, which will be very short due to
small size, this is why the user is most likely to ignore it. The
administrator may have set this mod on the server this way, that he can
enable cheating on this server while other people can not. This possibility
is already known and was only mentioned for the sake of completeness.
Secondly, certain files may break the starting of the game. I have found an
example for the game Star Trek Voyager: Elite Force, where if you download
the .pk3 file for a multiplayer map, the single player will not start up
anymore and lots of garbish appearing in the start-up console. Here is a link
to the file:
http://www.hazardteam.de/downloads-file.html?type=maps&id=104
The author of this map certainly did not intend this to happen, someone with
malicious intends is no doubtedly possible to modify the content and reduce
the size of the file reasonably to have the same effect, depending on the
game.
Thirdly: We do not know which bugs lurk in the deepness of the closed source
of the games. These games are complex - the engine needs to load the maps
correctly and display them, also game developers add powerful script
interpreters to make it possible to script events in single player missions.
These bugs cannot all be found and fixed in time, the potential if a bug was
found in one of these games would be enormous. Just think about the thousands
of clients that have this automatical downloading enabled. The file at the
top is an example how by a simple coincidence a way was found to make the
game crash before it even started up.
This is why I have written this report. The only advice I can give is not to
make the same mistake microsoft did with its outlook and enable various
things by default that makes it 10x easier to start any exploits without the
user wanting to do so.
All users should set the variable cl_allowdownload in all .cfg files in the
quake3 directory to '0' , and not download maps / modifications from
untrusted sources, also Game developers should disable this by default. If
this is enabled, an unsuspecting user downloads on connect whatever the
server administrator intends to.
I have checked various games, obviously some game developers have already
recognized this threat.
Games I have found vulnerable:
Ravensoft's Star Trek Voyager: EliteForce
Medal of Honour: Allied Assault
Medal of Honour: Spearhead
The id guys seem to have done a better job, it seems that in the latest point
release cl_allowdownload was set to '0' by default.
I have only limited time for research, I do not doubt that alot more games
than these (where the MOHAA has got a solid user base) have automatically
download on by default.
I would like to annotate, that generally the unreal tournament engine family
also has the autodownload feature. I am not familiar with this type of
engines, yet it bears the same potential of abuse.
- Thilo Schulz
[ reply ]