CoD Client vulnerabilities on the internet

Luigi Auriemma, the software guru whose prolific bug-hunting prowess brought us news of a potential server side exploit (see related topics), has written us again here at BASH to confirm that the vulnerability talked about the other day affects servers only - not clients. So players need not worry.

Having said that, he pointed out another bug, this one in Quake 3 - one which, may have been ported over to CoD2 (Quake 3 engine powers the CoD2 game - albeit in a modified form).

In this bug, the client (player) is vulnerable to a security exploit if they find themselves playing CoD2 multiplayer while linked to a server run by a "black hat" (i.e. hacker) admin.

He has a nice write up of it here:

q3cfilevar-adv.txt

Here's a quick description of what this issue is all about:

A) File Overwriting through Automatic Downloading

The Quake 3 engine supports an option called "Automatic Downloading" which allows the clients to automatically download PK3 files (maps

and mods) available on the server but not locally.

This option is disabled by default for security reasons...this check can be bypassed through the ...bug described in this advisory, so an attacker can overwrite any file in any disk of the computer in which Quake 3 is running.

B) cvar overwrite with possible info stealing

In short, Luigi is saying that it is possible to overwrite or create any client cvar, even those that are write protected!

Fixes

Bug A) Turn off "Automatic Downloading" feature - unless you are on a trusted server.
Bug B) No fix is available for bug B.

The latter depressing news is not too bad as long as you stay on "trusted" servers. "Black hat" server admins however may be able to create a viable security breach on your computer based on B, but as Luigi, comfortingly, says:

...they are difficult to exploit.

Related topics:

CoD2 Server Vulnerability