Quake 3 engine cvar file overwrite

quake3-cvar-file-overwrite (27486) The risk level is classified as MediumMedium Risk

Description:

Multiple game servers based on the Quake 3 engine could allow a remote attacker to create or overwrite arbitrary cvar variables or files on the system, caused by improper handling of cvar variables sent from a server. By sending specially-crafted cvar variables, a remote attacker in control of a malicious game server could overwrite arbitrary variables including fs_homepath, which could then be used to overwrite arbitrary files on the victim's system, if the attacker could persuade a potential victim to connect to the malicious server.


Consequences:

File Manipulation

Remedy:

Upgrade to the latest version of the Quake 3 engine (811 or later), available from the Quake Web site. See References.

References:

  • Luigi Auriemma Advisory 27 Jun 2006: Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...).
  • quake3 CVS Repository: icculus.org Subversion Repositories - revision - quake3.
  • BID-18685: Quake 3 Multiple Vulnerabilities
  • CVE-2006-3324: The Automatic Downloading option in the id3 Quake 3 Engine and the Icculus Quake 3 Engine (ioquake3) before revision 804 allows remote attackers to overwrite arbitrary files in the quake3 directory (fs_homepath cvar) via a long string of filenames, as contained in the neededpaks buffer.
  • SA20401: Quake3 Engine File Overwrite And Buffer Overflow Vulnerabilities
  • SA20851: Icculus.org Quake3 Engine Two Vulnerabilities
  • VUPEN/ADV-2006-2569: Icculus Quake3 Engine (ioquake3) Automatic Downloading File Manipulation Issues

Platforms Affected:

  • id Software Quake 3 1.32c and prior

Reported:

Jun 27, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page