BUG: security: remote code execution (RCE) bug in clients < 3.6.4 about ezquake-source HOT 5 OPEN

• What is this bug? Can a malicious server admin force a shared object file to download and execute arbitrary code as shown in the video?

Yes. I did that in the video :)

• What versions of ezquake / mvdsv / ktx are affected by this bug?

mvdsv filters the download command. Think only special admins can download files directly under /qw/* so it would take some more injection trickery to authenticate the user as such which is why I instead used FTE to serve for the demo.

I can see a scenario where the server has a simple rcon, a stufftext sets that rcon in the client and auths the user towards the server, at which point the download is stuffed, but at that point it's just easier to recompile the server code.

mvdsv and ktx have zero blame here, just made it a bit easier to do this without changing the code, thus making it a good proof of concept of a shared server where many people can upload to a /qw/* directory via ftp/sftp/http, but otherwise have no control over the server.

If you have total control of the server you can just send such stufftexts directly with any content you want, just requires compiling a new version and I wanted to limit myself to prebuilt binaries usecase.

So while this demo has a somewhat rarepepe server side setup, the fact remains that you have no idea who answers on the other side when you connect, and the vulnerability is on the client side.

from ezquake-source.

Wow. This looks pretty bad! Thanks @dsvensson for finding this and for @namtsui for bringing this to my attention.
I've just submitted an update for games/mvdsv to OpenBSD ports and now with the DIST_TUPLE mechanism, I can update ezquake to the latest as well.

from ezquake-source.

I've submitted an update to the OpenBSD ports mailing list. Hopefully it will be committed soon.

from ezquake-source.