Quake3 engine autodownload issues.

[Thilo Schulz <arny () ats s bawue de>]

Hello,

The Quake3 Engine's feature for automatically downloading modifications from 
the server to the client bears great potential of abuse and could even lead 
to execution of arbitrary code. Because this is quake3 engine related many 
games aside from quake3 suffer from the same problem as well.

First a few lines to explain the background:
In Quake3 engine games (at least those who haven't been modified too heavily 
by the developer who came to license the engine) all game data files, maps, 
textures, models, sounds etc. are contained by to .pk3 suffixed 
ZIP-compressed archives.
Modifications as well, with files for the virtual machine that determines the 
bahaviour of the engine.
If a player joins this server, the server requests checksums for various 
.pk3's that are in use on the server and of the game itself from the client, 
to validate that the client has not messed around with certain files to 
enable the possibility of cheating (Aimbots for example).
On the other hand, if the server is right now playing a map and the client 
connecting to the server does not have this map, this client starts, if all 
permissions are set to default, automatically downloading the .pk3 file that 
contains the map files with its textures and all it needs to play this map.
The same goes for modifications. In order to allow automatically downloading, 
the server and the client need to have the variable cl_allowdownload set to 
1. This is the default in most games.

So here we are at the first possibility of abuse:

The Server administrator can load modifications on his server, that are very 
small in file size. When the client connects to this server, it will start 
automatically downloading this modification, which will be very short due to 
small size, this is why the user is most likely to ignore it. The 
administrator may have set this mod on the server this way, that he can 
enable cheating on this server while other people can not. This possibility 
is already known and was only mentioned for the sake of completeness.

Secondly, certain files may break the starting of the game. I have found an 
example for the game Star Trek Voyager: Elite Force, where if you download 
the .pk3 file for a multiplayer map, the single player will not start up 
anymore and lots of garbish appearing in the start-up console. Here is a link 
to the file:

http://www.hazardteam.de/downloads-file.html?type=maps&id=104

The author of this map certainly did not intend this to happen, someone with 
malicious intends is no doubtedly possible to modify the content and reduce 
the size of the file reasonably to have the same effect, depending on the 
game.

Thirdly: We do not know which bugs lurk in the deepness of the closed source 
of the games. These games are complex - the engine needs to load the maps 
correctly and display them, also game developers add powerful script 
interpreters to make it possible to script events in single player missions. 
These bugs cannot all be found and fixed in time, the potential if a bug was 
found in one of these games would be enormous. Just think about the thousands 
of clients that have this automatical downloading enabled. The file at the 
top is an example how by a simple coincidence a way was found to make the 
game crash before it even started up.

This is why I have written this report. The only advice I can give is not to 
make the same mistake microsoft did with its outlook and enable various 
things by default that makes it 10x easier to start any exploits without the 
user wanting to do so.
All users should set the variable cl_allowdownload in all .cfg files in the 
quake3 directory to '0' , and not download maps / modifications from 
untrusted sources, also Game developers should disable this by default. If 
this is enabled, an unsuspecting user downloads on connect whatever the 
server administrator intends to.

I have checked various games, obviously some game developers have already 
recognized this threat.

Games I have found vulnerable:
Ravensoft's Star Trek Voyager: EliteForce
Medal of Honour: Allied Assault
Medal of Honour: Spearhead

The id guys seem to have done a better job, it seems that in the latest point 
release cl_allowdownload was set to '0' by default.
I have only limited time for research, I do not doubt that alot more games 
than these (where the MOHAA has got a solid user base) have automatically 
download on by default.

I would like to annotate, that generally the unreal tournament engine family 
also has the autodownload feature. I am not familiar with this type of 
engines, yet it bears the same potential of abuse.

 - Thilo Schulz