-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: security: remote code execution (RCE) bug in clients < 3.6.4 #857
Comments
Yes. I did that in the video :)
mvdsv filters the download command. Think only special admins can download files directly under I can see a scenario where the server has a simple rcon, a stufftext sets that rcon in the client and auths the user towards the server, at which point the download is stuffed, but at that point it's just easier to recompile the server code. mvdsv and ktx have zero blame here, just made it a bit easier to do this without changing the code, thus making it a good proof of concept of a shared server where many people can upload to a If you have total control of the server you can just send such stufftexts directly with any content you want, just requires compiling a new version and I wanted to limit myself to prebuilt binaries usecase. So while this demo has a somewhat rarepepe server side setup, the fact remains that you have no idea who answers on the other side when you connect, and the vulnerability is on the client side. |
Wow. This looks pretty bad! Thanks @dsvensson for finding this and for @namtsui for bringing this to my attention. |
I've submitted an update to the OpenBSD ports mailing list. Hopefully it will be committed soon. |
- 3.6.4 contains security fix preventing download of .so files see: QW-Group/ezquake-source@df38450 QW-Group/ezquake-source#857 - use DIST_TUPLE for qwprot and ezquake-source - use pcre2 - EX_browser_sources.c patch needed another GAMEDIR substitution - patch for vid_software_palette 1 causing black screen when resizing game window ok thfr@ and maintainer Tom Murphy
Unfortunately, this issue persists. Here's a video that demonstrates how a malicious server is able to remotely execute The problem is that the server can execute any command it wants on the client by One way to solve this would be to implement a whitelist of commands that are |
To be clear, this is a different mechanism than the one found before 3.6.4, but with just as severe effect. |
@dsvensson posted a video revealing that there is a remote code execution bug in ktx and ezquake.
see: https://www.youtube.com/watch?v=fho21K9EOCk
The release notes (https://github.com/QW-Group/ezquake-source/releases/tag/3.6.4) does briefly mention:
DOWNLOAD: Harmonize download filter (dsvensson)
. The description in the youtube video states,The 3.6.4 release uses the same filter as other types of downloads so that's one step in the right direction
.This was poorly handled. It is not clear from the release notes that there is a security concern at all. This would make it easier for downstream maintainers like @tdm4 and for users to understand that it is important to upgrade.
The text was updated successfully, but these errors were encountered: