####################################################################### Luigi Auriemma Application: Enemy Territory: Quake Wars http://www.enemyterritory.com http://www.idsoftware.com/games/enemyterritory/etqw/ Versions: <= 1.5.12642.33243 Platforms: Windows (tested), Linux, Mac OS X, PlayStation 3, Xbox 360 Bug: invalid URL buffer-overflow Exploitation: remote, versus clients (from malicious server) Date: 18 Jun 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bug 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== Enemy Territory: Quake Wars (ETQW) is a well known and appreciated FPS based on the idTech4 engine and developed by Splash Damage and id Software. ####################################################################### ====== 2) Bug ====== There is a function in the game which is used for dispalying particular error messages in the console ("********************\nERROR: %s\n********************") and it's affected by a buffer overflow vulnerability. One of the ways I have found for exploiting it is through a malicious server that forces the client to download some missing or different files through the pureServer command followed by a downloadInfo one containing an URL with the following attributes: - it must be an invalid http:// URL because it's necessary for reaching the bugged function called when ShellExecuteEx (used for launching the URL) fails - must be max 1024 bytes long, it gets truncated automatically - must be enough disguised because it's required the OK of the user for exploiting it For the first and last point I have opted for the backspace char before the URL and a big sequence of line-feed chars after it so that it looks normal because the shellcode is displayed out of the screen. As already said it's necessary that the user accepts the download for exploiting the vulnerability: You are missing required pak files to connect to this server. The server gave a web page though: http://SERVER/valid_file.pk4 YES NO ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/etqwcbof.zip ####################################################################### ====== 4) Fix ====== No fix. #######################################################################