Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 12:02

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 54 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: quake3 engine callvote bug
PostPosted: 11 Jan 2009 19:18 

Joined: 11 Jan 2009 19:04
Posts: 2
here's a bug i found in the quake 3 engine in late 2003 that allows players to execute commands on a server, shown here for educational purposes only ofc.
the code references here are from quake3-1.32-source.zip

in the server game module (qagame) when a vote is called the function Cmd_CallVote_f creates a string representation of it in level.voteString.
for example if a client sends the command 'callvote kick leo', level.voteString will be 'kick leo'

if the vote passes, this code is run:
Code:
void CheckVote( void ) {
        if ( level.voteExecuteTime && level.voteExecuteTime < level.time ) {
                level.voteExecuteTime = 0;
                trap_SendConsoleCommand( EXEC_APPEND, va("%s\n", level.voteString ) );
        }

which means it adds level.voteString to the execution buffer. (Cbuf_ExecuteText(EXEC_APPEND, level.voteString))

the commands in the execution buffer are seperated by ';', '\r' or '\n':
Code:
for (i=0 ; i< cmd_text.cursize ; i++)
{
    if (text[i] == '"')
        quotes++;
    if ( !(quotes&1) &&  text[i] == ';')
        break;  // don't break if inside a quoted string
    if (text[i] == '\n' || text[i] == '\r' )
        break;
}


so theoretically if a client sends the command ' callvote map "mp_leo;quit" ' and the vote passes, quit will be executed after "map mp_leo".

to prevent this Cmd_CallVote_f does the following check:
Code:
if( strchr( arg1, ';' ) || strchr( arg2, ';' ) ) {
   trap_SendServerCommand( ent-g_entities, "print \"Invalid vote string.\n\"" );
   return;
}


but ofc this isn't enough, since the other separators ('\r' and '\n') can also be sent in client commands.
sending such a callvote command from a game client isn't possible without a dll injection/hook/debugger afaik.

the way i used to test this bug is writing the following command inside the game:
/callvote kick "bla;quit"
and then changing the ';' letter to '\r' inside CL_AddReliableCommand() while debugging the client

credits:
leo
http://www.nixcoders.org


Last edited by humbaba on 12 Jan 2009 18:50, edited 1 time in total.

Top
 Profile  
 
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 11 Jan 2009 19:20 

Joined: 16 Oct 2007 18:47
Posts: 23
lulz


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 11 Jan 2009 23:52 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
really an excellent finding and a complete analisys, well done leo.
the bug affects even the latest SVN version of ioquake3.

for being able to test more games I have created an universal patcher which converts any original executable of the games based on the Quake 3 engine in a proof-of-concept which automatically converts the ';' char in a carriage return (0x0d).

UPDATE: the PoC is available here:
http://aluigi.org/poc.htm#q3cbufexec


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 13 Jan 2009 01:43 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
today I have tested other executables and the PoC has found and modified the needed function correctly in all of them (included the executable of quakelive in the encrypted bin.pk3 package) so I have released it.
the zip in the PoC section is the same which was attached here, I have not modified it.


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Jan 2009 00:07 

Joined: 20 Nov 2007 05:07
Posts: 6
Crashes JA:MP. (Jedi Academy).


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Jan 2009 00:31 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
here on jamp.exe 1.0.1.0 works perfectly, it's only needed to use a command like the following:

callvote timelimit "123;rconpassword none"

because map, kick and g_gametime did nothing in my tests


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Jan 2009 01:03 

Joined: 20 Nov 2007 05:07
Posts: 6
Can you upload the client you're using? Because after I patched and tried running JAMP, it crashed.


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Jan 2009 01:21 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
if you have version 1.0.1.0 the proof-of-concept should tell you something like:

0001c75e (RVA 0041c75e) of 5 bytes
0013ae8a (RVA 0053ae8a) of 34 bytes

the new jamp_q3cbufexec.exe file generated by the tool is the same here or there, so don't ask to upload it.


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Jan 2009 17:45 

Joined: 15 Jan 2009 17:36
Posts: 1
I tried it with tremulous but it doesnt works, it

example:

callvote map "atcs;rconpassword 123"

it sends me

rconpassword winner.bsp couldnt be found on the server

and if i try it with kick it says invcalid client name, i have tried it with other few of cmds but it still doesnt work, maybe it because im not at home, and this pc isnt mine and it has windows vista.


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Jan 2009 17:57 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
tremulous 1.1.0 was just one of the first q3 games I tested with my PoC and works perfectly, just retried again now using the example command from the console of tremulous_q3cbufexec.exe


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 23 Jan 2009 19:24 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I have just checked the Icculus SVN repository where has been fixed the problem and there is also a link to the original bug report by a certain /dev/humancontroller dated 8 April 2008:

http://bugzilla.icculus.org/show_bug.cgi?id=3593

that's boring because now I need to modify the credits in q3cbufexec... uff


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 24 Jan 2009 09:23 

Joined: 11 Jan 2009 19:04
Posts: 2
aluigi wrote:
I have just checked the Icculus SVN repository where has been fixed the problem and there is also a link to the original bug report by a certain /dev/humancontroller dated 8 April 2008:

http://bugzilla.icculus.org/show_bug.cgi?id=3593

that's boring because now I need to modify the credits in q3cbufexec... uff


not that i care about the credit, but like i wrote in the original post i found the bug and firstly tested it in 2003 so i did not steal the information from anyone.


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 24 Jan 2009 14:17 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
I didn't mean to remove you from the credits, I meant only to add this additional detail because obviously at the moment it's the oldest information (although I don't like how the vulnerabilities are handled in ioquake3) publicly available on internet


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 08 Feb 2009 17:25 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
with a bit of luck I have found a way to fix the bug on almost all the Windows versions of the vulnerable games.
in fact the Cbuf_ExecuteText function has a pattern which is practically ever the same on Windows so has been easy to add a set of instructions at the end of the .text section which scan the input text for the 0x0d and 0x0a chars (';' not because it's useless in this case and in that function it's used also for valid commands).

in my opinion the best place for adding that set of instructions was probably SV_ExecuteClientCommand where it was useful also to avoid the usage of these bad chars in other commands like "say" (where they are used as an annoyance) but there are tons of problems for finding that function in all the various games (if it's not universal it's not good).

at the moment the patch is in beta testing and requires at least lpatch 0.4.3 for being applied:

http://aluigi.org/mytoolz/lpatch.zip
http://aluigi.org/patches/q3cbufexecfix.lpatch

please refer to this thread for comments and suggestions


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 10 Feb 2009 11:23 

Joined: 14 Nov 2008 16:37
Posts: 15
aluigi wrote:
here on jamp.exe 1.0.1.0 works perfectly, it's only needed to use a command like the following:

callvote timelimit "123;rconpassword none"

because map, kick and g_gametime did nothing in my tests

/callvote timelimit "10;rconpassword lol"
"Invalid vote string." - wtf?

I tried to bind (bind e callvote timelimit "10;rconpassword lol"), but nothing happened. :)


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 10 Feb 2009 15:14 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
because you have not used the proof-of-concept and so the ';' char has not been converted in a carriage return or a line feed


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 11 Feb 2009 16:19 

Joined: 11 Feb 2009 16:16
Posts: 1
I have a problem while im using this : My JKA starts and im able to connect a server, but after about 30 i get the 'Cl_parsepacket..' Error. And i have a working No-cd and also i've tried it with my CD. But still i get it.

So how can i fix this?


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 11 Feb 2009 16:35 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
it's all normal because in games like JKA and Quake3 the executable performs a check on itself to avoid modified executables (maybe for cheating).

but this doesn't cause any problem to the testing of the bug because this is a proof-of-concept, you must NOT use it for playing: join your server, send the command, check if it had effect on your server and exit. stop


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 13 Feb 2009 09:22 

Joined: 09 Sep 2008 12:15
Posts: 27
aluigi wrote:
with a bit of luck I have found a way to fix the bug on almost all the Windows versions of the vulnerable games.
in fact the Cbuf_ExecuteText function has a pattern which is practically ever the same on Windows so has been easy to add a set of instructions at the end of the .text section which scan the input text for the 0x0d and 0x0a chars (';' not because it's useless in this case and in that function it's used also for valid commands).

in my opinion the best place for adding that set of instructions was probably SV_ExecuteClientCommand where it was useful also to avoid the usage of these bad chars in other commands like "say" (where they are used as an annoyance) but there are tons of problems for finding that function in all the various games (if it's not universal it's not good).

at the moment the patch is in beta testing and requires at least lpatch 0.4.3 for being applied:

http://aluigi.org/mytoolz/lpatch.zip
http://aluigi.org/patches/q3cbufexecfix.lpatch

please refer to this thread for comments and suggestions


Any way to fix linux binaries ? or patch it someway?


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 13 Feb 2009 16:56 

Joined: 16 Oct 2007 18:47
Posts: 23
as long as no patch is released simply disable votes like timelimit map etc..or just disable all votes


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 14 Feb 2009 21:30 

Joined: 03 Feb 2009 19:52
Posts: 36
Location: Switzerland
I have a fix from ESL Forum:
Fix Linux:
- MSGBOOM fixed (appears some french sentences and calls a vote for kicking "crasher"
- Forcestring (calls vote for kick)
- Callvotebug (say's "noob hacker", and nothing happens)

http://rapidshare.com/files/198122644/j ... 6.zip.html
hf

PS: Creator told me that there might be some slow damage differents, but i did not realised anything.


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 15 Feb 2009 21:23 

Joined: 19 May 2008 04:02
Posts: 3
Is there a linux patch for the sv_allowdownload fix?


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 16 Feb 2009 19:43 

Joined: 03 Feb 2009 19:52
Posts: 36
Location: Switzerland
yeah sv_allowdownload 0 ! allowdownload is just an open door for every wnb hacker, there is no positiv side on this cmd for an server owner :P


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 16 Feb 2009 19:53 

Joined: 16 Oct 2007 18:47
Posts: 23
open your eyes A Mailer ...there are more than enough fixes out there


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 17 Feb 2009 20:45 

Joined: 02 May 2008 15:37
Posts: 38
Eragon wrote:
yeah sv_allowdownload 0 ! allowdownload is just an open door for every wnb hacker, there is no positiv side on this cmd for an server owner :P

everyone know that....but thats not the only way to hack theh server buahahah


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 18 Feb 2009 01:11 

Joined: 13 Jan 2008 16:13
Posts: 5
Eragon wrote:
I have a fix from ESL Forum:
Fix Linux:
- MSGBOOM fixed (appears some french sentences and calls a vote for kicking "crasher"
- Forcestring (calls vote for kick)
- Callvotebug (say's "noob hacker", and nothing happens)

http://rapidshare.com/files/198122644/j ... 6.zip.html
hf

PS: Creator told me that there might be some slow damage differents, but i did not realised anything.


Download link no longer works.

Got another link/reupload?


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 18 Feb 2009 18:27 

Joined: 03 Feb 2009 19:52
Posts: 36
Location: Switzerland
http://esl-fr.verygames.net/jampgamei386.zip


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 18 Feb 2009 19:46 

Joined: 13 Jan 2008 16:13
Posts: 5
Eragon wrote:
http://esl-fr.verygames.net/jampgamei386.zip


The archive is damaged and Winrar's repair doesn't work.

Got another link?


Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 20 Feb 2009 23:39 

Joined: 03 Feb 2009 19:52
Posts: 36
Location: Switzerland
Tanith wrote:
Eragon wrote:
http://esl-fr.verygames.net/jampgamei386.zip


The archive is damaged and Winrar's repair doesn't work.

Got another link?

*edit* new link, other was damaged..
................... http://www.for.bplaced.net/include/downs/downloads/jampgamei3862.rar.........

or use that:
Quote:

this is just an opportunity you can use to make senseless the callvote bug, without decompiling or making modded dlls
What you need is just your jampded.exe file, or linuxjampded + a hex editor

both server files with common changements are in the end of the post.

You open the editor (i use XVI32, it s free, the link is in the end of the post)
then you have to find a text string with rconpassword variable name.
Now you have to change the name to smth like yrhiuahfeerd.
IMPORTANT: new name must have the SAME length that the string "rconpassword" (12 chars)
Then you save the file and your jampded or linuxjampded is now patched.

How it works:
In cfg your server runs you have to replace 'rconpassword' by 'yrhiuahfeerd'. So now your admin password will be named 'yrhiuahfeerd' and not 'rconpassword'
When someone is trying to call a vote, ex
callvote fraglimit "0; rconpassword 123"
the fraglimit will be set to 0, and all players will see a saying

server: rconpassword 123

as far as there is no rconpassword named variable, the server will interprete it just as a saying. So by the vote initiator it s easy to devine, who is trying to hack the server :)

Surely, they still can get your admin password (change it via vote etc) BUT they have to know the name of the variable, defining admin password, which is really hard to do :)
Also, every attempt to devine the name will be shown to other players, as I said before.

also, the guys who know the true admin password can still manage admin commands like before, e.g.

/rconpassword <adminpassword>
/rcon status
/rcon clientkick 0

But that is not all. If you downloaded and worked with a file in the attachment, I've already done the following things in it, so you just skip the final part, but if you edited your own jampded/linuxjampded you ll have to do an additional job
It is to remove /quit, /killserver, /sv_killserver, /sv_allowdownload commands. Just find them 1 by 1 and replace their names by spaces.
Now the 'clever' guys who will try to download the cfg will fail, also they wont be able to kill server via voting.


PS when you replace your jampded/linuxjampded file on server do not forget to change chmod for it, so it will be allowed to be executed.


SO, to sum up:
1. Edit the linuxjampded/jampded (rconpassword must be replaced with your own string; quit, sv_killserver, killserver, sv_allowdownload should be removed - filled with spaces)
2. Edit your cfg so the 'rconpassword' will be replaced with your custom name you selected in the first point
3. Enjoy your playing




PS It is NOT the mod anyhow and dont say 'omg lolmod i wont play esl there fu'


FILES

Jampded (for windows) with removed quit, sv_killserver and killserver commands, you have to rename only rconpassword variable
http://punk666.pu.ohost.de/serverfix/jampDed.zip

linuxjampded (for linux) with removed quit, sv_killserver and killserver commands, you have to rename only rconpassword variable
http://punk666.pu.ohost.de/serverfix/linuxjampded.zip

xvi32 - free and small windows hex editor (if you havent one)
http://punk666.pu.ohost.de/serverfix/xvi32.zip


Last edited by Eragon on 23 Feb 2009 18:45, edited 1 time in total.

Top
 Profile  
 
 Post subject: Re: quake3 engine callvote bug
PostPosted: 22 Feb 2009 20:19 

Joined: 13 Jan 2008 16:13
Posts: 5
Eragon wrote:
Tanith wrote:
Eragon wrote:
http://esl-fr.verygames.net/jampgamei386.zip


The archive is damaged and Winrar's repair doesn't work.

Got another link?

................... http://www.for.bplaced.net/include/downs/downloads/jampgamei386.zip


lol that zip file is also damaged and wont extract in either Winrar or Winzip and again Winrar's repair does not fix it.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 54 posts ]  Go to page 1, 2  Next

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: