CVE-2006-2082 Directory traversal vulnerability in Quake 3 engine

CVE-2006-2082
Directory traversal vulnerability in Quake 3 engine, as used in products
including Quake3 Arena, Return to Castle Wolfenstein, Wolfenstein: Enemy
Territory, and Star Trek Voyager: Elite Force, when the sv_allowdownload
cvar is enabled, allows remote attackers to read arbitrary files from
the server via ".." sequences in a .pk3 file request.

from Thilo Schulz in ioquake3
svn 777 git 60293f49ee8c665673202e80ecd103f13a9fa6ab

Fix bug that permits download of arbitrary files from a download enabled
server by checking requested file name against the list of loaded pk3
files. See CVE-2006-2082
This commit is contained in:
Jonathan Gray 2013-05-07 02:37:25 +10:00
parent c9da283d84
commit 85caaddab4

View file

@ -1092,24 +1092,59 @@ void SV_WriteDownloadToClient( client_t *cl , msg_t *msg )
int curindex;
int rate;
int blockspersnap;
int idPack, missionPack;
int idPack, missionPack, unreferenced = 1;
char errorMessage[1024];
char pakbuf[MAX_QPATH], *pakptr;
int numRefPaks;
if (!*cl->downloadName)
return; // Nothing being downloaded
if (!cl->download) {
// Chop off filename extension.
Com_sprintf(pakbuf, sizeof(pakbuf), "%s", cl->downloadName);
pakptr = Q_strrchr(pakbuf, '.');
if(pakptr)
{
*pakptr = '\0';
// Check for pk3 filename extension
if(!Q_stricmp(pakptr + 1, "pk3"))
{
const char *referencedPaks = FS_ReferencedPakNames();
// Check whether the file appears in the list of referenced
// paks to prevent downloading of arbitrary files.
Cmd_TokenizeStringIgnoreQuotes(referencedPaks);
numRefPaks = Cmd_Argc();
for(curindex = 0; curindex < numRefPaks; curindex++)
{
if(!FS_FilenameCompare(Cmd_Argv(curindex), pakbuf))
{
unreferenced = 0;
// now that we know the file is referenced,
// check whether it's legal to download it.
missionPack = FS_idPak(pakbuf, "missionpack");
idPack = missionPack || FS_idPak(pakbuf, "base");
break;
}
}
}
}
// We open the file here
Com_Printf( "clientDownload: %d : begining \"%s\"\n", cl - svs.clients, cl->downloadName );
missionPack = FS_idPak(cl->downloadName, "missionpack");
idPack = missionPack || FS_idPak(cl->downloadName, "base");
if ( !sv_allowDownload->integer || idPack ||
if ( !sv_allowDownload->integer || idPack || unreferenced ||
( cl->downloadSize = FS_SV_FOpenFileRead( cl->downloadName, &cl->download ) ) <= 0 ) {
// cannot auto-download file
if (idPack) {
if(unreferenced)
{
Com_Printf("clientDownload: %d : \"%s\" is not referenced and cannot be downloaded.\n", (int) (cl - svs.clients), cl->downloadName);
Com_sprintf(errorMessage, sizeof(errorMessage), "File \"%s\" is not referenced and cannot be downloaded.", cl->downloadName);
}
else if (idPack) {
Com_Printf("clientDownload: %d : \"%s\" cannot download id pk3 files\n", cl - svs.clients, cl->downloadName);
if (missionPack) {
Com_sprintf(errorMessage, sizeof(errorMessage), "Cannot autodownload Team Arena file \"%s\"\n"
@ -1142,6 +1177,8 @@ void SV_WriteDownloadToClient( client_t *cl , msg_t *msg )
return;
}
Com_Printf( "clientDownload: %d : begining \"%s\"\n", cl - svs.clients, cl->downloadName );
// Init
cl->downloadCurrentBlock = cl->downloadClientBlock = cl->downloadXmitBlock = 0;
cl->downloadCount = 0;