Title: ID Software Quake 3 "smurf attack" Denial of Service vulnerability
Severity: HIGH
Description:
Quake 3 network play features contain a remotely exploitable denial of service vulnerability.
In establishing a connection, a legitimate Quake 3 client and NetQuake server normally exchange various data in the form of queries and responses.
A hostile client program can be used to generate a large number of forged client queries on behalf of an arbitrary target user - even a user who is not actually attempting to run a Quake 3 client.
Quake 3 performs network communication over Uniform Datagram Protocol (UDP). This protocol is commonly used in online interactive gaming due to the lack of overhead and other speed-associated problems with protocols such as TCP. UDP is a connectionless protocol, which can typically be spoofed by a remote user. When a client sends a query to to server, these queries are sent via UDP.
The server's answer to these queries flood the target user with a large number of reply packets, consuming the target system's network bandwidth and CPU cycles. This allows the unwitting Quake 3 server to be exploited in a denial of service to the target user or users.
It has been reported that other games suffer from similar issues. Additional amplification attacks may be possible through the usage of commands which return detailed information about the game status or server information. In some cases, packets larger than 500 bytes may be sent in response to a 50 byte spoofed UDP packet.
The consequences of this vulnerability are in part aggravated by the availability of server lists on the internet, often updated in real time.
Affected Products:
- Epic Games Unreal Tournament Server 436.0.0
- Sierra Entertainment Half-Life 1.1.0.0.7
- Sierra Entertainment Half-Life 1.1.1.0
- id Software Linux Quake II 3.13.0
- id Software Linux Quake II 3.14.0a
- id Software Linux Quake II 3.15.0
- id Software Linux QuakeWorld 2.1.0
- id Software Linux QuakeWorld 2.2.0
- id Software Quake 1.9.0
- id Software Quake 3 Arena 1.1.7
- id Software Quake 3 Arena 1.1.7
- id Software Quake 3 Arena 1.16.0n
- id Software Quake 3 Arena 1.31.0
- id Software Quake 3 Arena Server 1.29.0f
- id Software Quake 3 Arena Server 1.29.0g
- id Software Quake II 3.13.0
- id Software Quake II 3.14.0
- id Software Quake II Server 3.20.0
- id Software Quake II Server 3.21.0
- id Software QuakeWorld 2.0.0
- id Software QuakeWorld 2.1.0
- id Software Solaris Quake II 3.13.0
- id Software Solaris Quake II 3.14.0
References:
- Tom Vogt <tom@lemuria.org>: Application-Level Reflection Attacks
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
