Hello, The Quake3 Engine's feature for automatically downloading modifications from the server to the client bears great potential of abuse and could even lead to execution of arbitrary code. Because this is quake3 engine related many games aside from quake3 suffer from the same problem as well. First a few lines to explain the background: In Quake3 engine games (at least those who haven't been modified too heavily by the developer who came to license the engine) all game data files, maps, textures, models, sounds etc. are contained by to .pk3 suffixed ZIP-compressed archives. Modifications as well, with files for the virtual machine that determines the bahaviour of the engine. If a player joins this server, the server requests checksums for various .pk3's that are in use on the server and of the game itself from the client, to validate that the client has not messed around with certain files to enable the possibility of cheating (Aimbots for example). On the other hand, if the server is right now playing a map and the client connecting to the server does not have this map, this client starts, if all permissions are set to default, automatically downloading the .pk3 file that contains the map files with its textures and all it needs to play this map. The same goes for modifications. In order to allow automatically downloading, the server and the client need to have the variable cl_allowdownload set to 1. This is the default in most games. So here we are at the first possibility of abuse: The Server administrator can load modifications on his server, that are very small in file size. When the client connects to this server, it will start automatically downloading this modification, which will be very short due to small size, this is why the user is most likely to ignore it. The administrator may have set this mod on the server this way, that he can enable cheating on this server while other people can not. This possibility is already known and was only mentioned for the sake of completeness. Secondly, certain files may break the starting of the game. I have found an example for the game Star Trek Voyager: Elite Force, where if you download the .pk3 file for a multiplayer map, the single player will not start up anymore and lots of garbish appearing in the start-up console. Here is a link to the file: http://www.hazardteam.de/downloads-file.html?type=maps&id=104 The author of this map certainly did not intend this to happen, someone with malicious intends is no doubtedly possible to modify the content and reduce the size of the file reasonably to have the same effect, depending on the game. Thirdly: We do not know which bugs lurk in the deepness of the closed source of the games. These games are complex - the engine needs to load the maps correctly and display them, also game developers add powerful script interpreters to make it possible to script events in single player missions. These bugs cannot all be found and fixed in time, the potential if a bug was found in one of these games would be enormous. Just think about the thousands of clients that have this automatical downloading enabled. The file at the top is an example how by a simple coincidence a way was found to make the game crash before it even started up. This is why I have written this report. The only advice I can give is not to make the same mistake microsoft did with its outlook and enable various things by default that makes it 10x easier to start any exploits without the user wanting to do so. All users should set the variable cl_allowdownload in all .cfg files in the quake3 directory to '0' , and not download maps / modifications from untrusted sources, also Game developers should disable this by default. If this is enabled, an unsuspecting user downloads on connect whatever the server administrator intends to. I have checked various games, obviously some game developers have already recognized this threat. Games I have found vulnerable: Ravensoft's Star Trek Voyager: EliteForce Medal of Honour: Allied Assault Medal of Honour: Spearhead The id guys seem to have done a better job, it seems that in the latest point release cl_allowdownload was set to '0' by default. I have only limited time for research, I do not doubt that alot more games than these (where the MOHAA has got a solid user base) have automatically download on by default. I would like to annotate, that generally the unreal tournament engine family also has the autodownload feature. I am not familiar with this type of engines, yet it bears the same potential of abuse. - Thilo Schulz
This archive was generated by hypermail 2b30 : Tue Feb 04 2003 - 15:55:05 PST