Product: OSP Tourney Version: 2.76 Vendor: Orange Smoothie Productions Date: 2007-02-27 Risk: High (possible remote code execution) Background ========== OSP Tourney is a popular tournament modification for Quake II developed by Orange Smoothie Productions. It is widely used on Windows and Linux Quake II servers. Issues ====== 1. CRITICAL: Exploitable buffer overflow in the 'teamskin' command ================================================================== OSP Tourney allows a team captain to set their team skin using the teamskin command. Proper validation is not performed before performing a sprintf with the user supplied value into a 256 byte buffer on the stack. This leads to a reliable user controlled stack overflow which allows for arbitrary code execution. 2. CRITICAL: Exploitable buffer overflow in the 'kickplayer' command ==================================================================== The length of the username or player ID to be kicked is not checked before it is copied into a 32 byte buffer on the stack. Reliable remote code execution is possible. 3. MODERATE: Exploitable buffer overflow in the admin log functions =================================================================== OSP performs unbounded vsprintf() using user-supplied data which can cause a stack based overflow with remote code execution. However the effects of this vulnerability are mitigated since the admin log has to be enabled (default is disabled) and the vulnerable functions can only be accessed by referees who know the referee_password and are thus trusted to some degree by the server operator. 4. MODERATE: Non-exploitable vote buffer overflow leads to DoS ============================================================== OSP tourney uses a fixed 64 byte buffer in the data segment for storing the vote string. Many vote types do not validate the length of user supplied text before copying it into this buffer, resulting in the data segment being overwritten with arbitrary data. Just below this buffer is a pointer that is accessed on every client connection, so once this buffer has overflowed, a subsequent connection will dereference an invalid pointer and crash the server. 5. MODERATE: Memory disclosure in the 'team' command ==================================================== By specifying an oversized team name to the 'team' command, OSP will use strncpy to copy it into a 16 byte buffer but fails to null terminate in the event of an overflow, leading to random memory disclosure. 6. MODERATE: Improper method of kicking clients =============================================== Admins / referees and the voting system do not kick players correctly. Rather than issuing a "kick" command, OSP sends an svc_disconnect byte to the client. A modified client can therefore become immune to any kicks by simply ignoring the svc_disconnect byte. 7. MODERATE: Insufficient input validation in the 'teamskin' command ==================================================================== In addition to the buffer overflow, special command characters such as the ; character used to split commands are not checked for. Since OSP uses a stuffcmd to set the skin on every client, this allows a malicious client to cause arbitrary Q2 command execution on anyone using the skin by supplying for example, "teamskin male/grunt;say foo". 8. MODERATE: Insufficient input validation in voting commands ============================================================= No validation is performed on values that are to be treated as numeric in the voting functions. A malicious user can for example "vote timelimit THIS SERVER SUCKS" and since the string evaluates to zero, OSP will set the timelimit to the specified string which becomes visible to server browsers. As a result of specifying long values for the timelimit and fraglimit, a malicious user can cause the server info string length to be exceeded which will result in incomplete data returned to server browsers as well as possible (unconfirmed) crashes. Vendor Response =============== It is not expected that the vendor will release any updates as previous issues have not warranted any vendor response. Workarounds =========== 1. Set team_lockskin 1 to prevent clients from using the teamskin command. 2. Use addcommandban to ban the following commands*: kickplayer removeplayer remove 3. Do not enable the server_adminlog cvar. 4. Set vote_enable 0 to prevent clients from using the vote command. 5. Use addcommandban team to prevent use of the team command*. 6. Set sv_svc_disconnect_hack 1 to translate svc_disconnect into a kick*. 7. Set team_lockskin 1 to prevent clients from using the teamskin command. 8. Set vote_enable 0 to prevent clients from using the vote command. * Some of these workarounds require features provided by the R1Q2 engine modification, available from http://www.r1ch.net/stuff/r1q2/ Fix === No fix. Server operators may wish to switch to the Battle modification which provides similar functionality with less bugs. An open source replacement for both OSP Tourney and Battle is currently under development.