Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 13:59

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
 Post subject: q3dirtrav (adv) link
PostPosted: 08 Aug 2008 22:14 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
ur uh q3dirtrav (adv) thingy link thing... links here:
http://www.securityfocus.com/archive/1/ ... 0/threaded (obviously...)
ok so my question is what is the bug on the top?
Quote:
========================================
Issue #1:

Remotely exploitable COM_StripExtension buffer overflow in client allows
execution of arbitrary code.
========================================

This bug is also known as the "remapShader" bug discovered by landser who
recently published a PoC opening a remote shell on vulnerable Linux clients at
milw0rm.com [2]

* details
The COM_StripExtension routine copies a given filename chopping the suffix
into another given buffer without checking the length of that buffer.
R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64
bytes length for the copy.
Servers can make the client execute R_RemapShader() by sending a "remapShader"
command with too long arguments that will result in an overflowed buffer.

* affected OS
All operating systems suffer from the bug.

* affected games
Games using the quake3 engine that accept the remapShader command in the cgame
code and use an otherwise unmodified COM_StripExtension().

Vulnerable are:
- Quake3 Arena / Team Arena point release 1.32b
- Return to Castle Wolfenstein 1.41
- Wolfenstein: Enemy Territory 2.60

With a high probability vulnerable:
- Star Wars: Jedi Knight 2 / 3

Not vulnerable:
- Star Trek Voyager: Elite Force

This list can *not* be considered complete. These are the only games where I
have done some checking or where I know they have this bug.

Probably not vulnerable are games that are based off an older version of the
Quake3 engine where the remapShader command didn't exist in the original
cgame code (like EliteForce).

* workaround *
There is no known workaround except playing on trusted servers.

* patches *
ID has released fixed binaries, but more on that later.

what bug is that one?


Top
 Profile  
 
 
 Post subject:
PostPosted: 08 Aug 2008 22:15 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
it's a client bug: a malicious server can execute malicious code on a client which joins it


Top
 Profile  
 
 Post subject:
PostPosted: 09 Aug 2008 00:28 

Joined: 05 Oct 2007 01:20
Posts: 402
Location: Florida
do u have any "poc's" that do it?


Top
 Profile  
 
 Post subject:
PostPosted: 09 Aug 2008 00:48 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
no, the only PoC which was released should be the following which is a shared library for the Linux server:

http://www.milw0rm.com/exploits/1750


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: