Vulnerabilities > CVE-2017-6903 - Unspecified vulnerability in Ioquake3 20170227
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In ioquake3 before 2017-03-14, the auto-downloading feature has insufficient content restrictions. This also affects Quake III Arena, OpenArena, OpenJK, iortcw, and other id Tech 3 (aka Quake 3 engine) forks. A malicious auto-downloaded file can trigger loading of crafted auto-downloaded files as native code DLLs. A malicious auto-downloaded file can contain configuration defaults that override the user's. Executable bytecode in a malicious auto-downloaded file can set configuration variables to values that will result in unwanted native code DLLs being loaded, resulting in sandbox escape.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_E48355D7154811E786110090F5F2F347.NASL description The content auto-download of id Tech 3 can be used to deliver maliciously crafted content, that triggers downloading of further content and loading and executing it as native code with user credentials. This affects ioquake3, ioUrbanTerror, OpenArena, the original Quake 3 Arena and other forks. last seen 2020-06-01 modified 2020-06-02 plugin id 99259 published 2017-04-10 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99259 title FreeBSD : id Tech 3 -- remote code execution vulnerability (e48355d7-1548-11e7-8611-0090f5f2f347) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3812.NASL description It was discovered that ioquake3, a modified version of the ioQuake3 game engine performs insufficent restrictions on automatically downloaded content (pk3 files or game code), which allows malicious game servers to modify configuration settings including driver settings. last seen 2020-06-01 modified 2020-06-02 plugin id 97801 published 2017-03-20 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97801 title Debian DSA-3812-1 : ioquake3 - security update
References
- http://www.debian.org/security/2017/dsa-3812
- http://www.debian.org/security/2017/dsa-3812
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857699
- https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
- https://github.com/ioquake/ioq3/commit/376267d534476a875d8b9228149c4ee18b74a4fd
- https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
- https://github.com/ioquake/ioq3/commit/b173ac05993f634a42be3d3535e1b158de0c3372
- https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
- https://github.com/ioquake/ioq3/commit/f61fe5f6a0419ef4a88d46a128052f2e8352e85d
- https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
- https://github.com/iortcw/iortcw/commit/11a83410153756ae350a82ed41b08d128ff7f998
- https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
- https://github.com/iortcw/iortcw/commit/b248763e4878ef12d5835ece6600be8334f67da1
- https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
- https://github.com/iortcw/iortcw/commit/b6ff2bcb1e4e6976d61e316175c6d7c99860fe20
- https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
- https://github.com/JACoders/OpenJK/commit/8956a35e7b91c4a0dd1fa6db1d28c7f0efbab2d7
- https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/
- https://ioquake3.org/2017/03/13/important-security-update-please-update-ioquake3-immediately/