Multiple Vulnerabilities in OSP Tourney for Quake II

Multiple Vulnerabilities in OSP Tourney for Quake II
====================================================
Product: OSP Tourney
Version: 2.76
 Vendor: Orange Smoothie Productions (http://www.orangesmoothie.org/)
   Date: 2007-02-27
   Risk: High (possible remote code execution)
    URL: http://secur1ty.net/advisories/002

Background
==========
OSP Tourney is a popular tournament modification for Quake II developed by
Orange Smoothie Productions. It is widely used on Windows and Linux Quake II
servers.

Issues
======

1. CRITICAL: Exploitable buffer overflow in the 'teamskin' command
==================================================================
OSP Tourney allows a team captain to set their team skin using the teamskin
command. Proper validation is not performed before performing a sprintf with
the user supplied value into a 256 byte buffer on the stack. This leads to a
reliable user controlled stack overflow which allows for arbitrary code
execution.

2. CRITICAL: Exploitable buffer overflow in the 'kickplayer' command
====================================================================
The length of the username or player ID to be kicked is not checked before it
is copied into a 32 byte buffer on the stack. Reliable remote code execution
is possible.

3. MODERATE: Exploitable buffer overflow in the admin log functions
===================================================================
OSP performs unbounded vsprintf() using user-supplied data which can cause a
stack based overflow with remote code execution. However the effects of this
vulnerability are mitigated since the admin log has to be enabled (default is
disabled) and the vulnerable functions can only be accessed by referees who
know the referee_password and are thus trusted to some degree by the server
operator.

4. MODERATE: Non-exploitable vote buffer overflow leads to DoS
==============================================================
OSP tourney uses a fixed 64 byte buffer in the data segment for storing the
vote string. Many vote types do not validate the length of user supplied text
before copying it into this buffer, resulting in the data segment being
overwritten with arbitrary data. Just below this buffer is a pointer that
is accessed on every client connection, so once this buffer has overflowed, a
subsequent connection will dereference an invalid pointer and crash the
server.

5. MODERATE: Memory disclosure in the 'team' command
====================================================
By specifying an oversized team name to the 'team' command, OSP will use
strncpy to copy it into a 16 byte buffer but fails to null terminate in the
event of an overflow, leading to random memory disclosure.

6. MODERATE: Improper method of kicking clients
===============================================
Admins / referees and the voting system do not kick players correctly. Rather
than issuing a "kick" command, OSP sends an svc_disconnect byte to the client.
A modified client can therefore become immune to any kicks by simply ignoring
the svc_disconnect byte.

7. MODERATE: Insufficient input validation in the 'teamskin' command
====================================================================
In addition to the buffer overflow, special command characters such as the ;
character used to split commands are not checked for. Since OSP uses a stuffcmd
to set the skin on every client, this allows a malicious client to cause
arbitrary Q2 command execution on anyone using the skin by supplying for
example, "teamskin male/grunt;say foo".

8. MODERATE: Insufficient input validation in voting commands
=============================================================
No validation is performed on values that are to be treated as numeric in the
voting functions. A malicious user can for example "vote timelimit THIS SERVER
SUCKS" and since the string evaluates to zero, OSP will set the timelimit to
the specified string which becomes visible to server browsers. As a result of
specifying long values for the timelimit and fraglimit, a malicious user can
cause the server info string length to be exceeded which will result in
incomplete data returned to server browsers as well as possible (unconfirmed)
crashes.

Vendor Response
===============
It is not expected that the vendor will release any updates as previous issues
have not warranted any vendor response.

Workarounds
===========

1. Set team_lockskin 1 to prevent clients from using the teamskin command.

2. Use addcommandban to ban the following commands*:
   kickplayer
   removeplayer
   remove

3. Do not enable the server_adminlog cvar.

4. Set vote_enable 0 to prevent clients from using the vote command.

5. Use addcommandban team to prevent use of the team command*.

6. Set sv_svc_disconnect_hack 1 to translate svc_disconnect into a kick*.

7. Set team_lockskin 1 to prevent clients from using the teamskin command.

8. Set vote_enable 0 to prevent clients from using the vote command.

* Some of these workarounds require features provided by the R1Q2 engine
  modification, available from http://www.r1ch.net/stuff/r1q2/

Fix
===
No fix. Server operators may wish to switch to the Battle modification which
provides similar functionality with less bugs. An open source replacement
for both OSP Tourney and Battle is currently under development.