"save pak0.pak" vulnerability

[Spirit]

Curiosity overwrites the pak file...

If you do a save game with arbitrary names, the engine should check if it might overwrite existing files (and then prompt) and probably make sure the extension is .sav.

I tested Requiem, Quakespasm, Fitzquake, Darkplaces and FTEQW with this.

Fitzquake and by extension Quakespasm are affected as is Darkplaces. FTEQW fails silently and Requiem saves as pak0.sav.

Quakespasm's output on Linux:

]save pak0.pak
Saving game to /home/me/.quakespasm/id1/pak0.pak...

and on the next start:

QUAKE ERROR: ./id1/pak0.pak is not a packfile

Please always append .sav to savegames if the user-supplied name does not already end in .sav!

edit: I hope it is clear that this affects all commands/cvars where filenames are supplied by the user or server!

[Spirit]

It seems like an original bug, I tried it with the shareware. How on earth did this survive 18 years?

QUAKE.EXE even lets me write relative paths like "save ../config.sys", that sounds familiar though and I know some engines have at least that fixed.

I am sure other filesystem writing commands are affected too.

[Spike]

its not just saved games. try it with demos too. and frik_file etc

also, try:
game . ; gamedir . ; save opengl32.dll

[leileilol]

save ..\..\..\..\..\..\msdos.sys
save ..\..\..\..\..\..\ntldr
save ..\..\..\..\..\..\boot.ini
echo "HA I FUCED UR SYSTEM BICH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"


Yeah this hole is fucking dangerous

Fortunately Windows 7 has VirtualStore these days...

[Spike]

add a clear command followed by a map change or something and they won't even realise you did it.

[szo]

Testing a patch to fix this.

save ..\..\..\..\..\..\msdos.sys
save ..\..\..\..\..\..\ntldr
save ..\..\..\..\..\..\boot.ini
echo "HA I FUCED UR SYSTEM BICH!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"


Yeah this hole is fucking dangerous

Fortunately Windows 7 has VirtualStore these days...

Read the code before posting such a thing.

[szo]

Fixed in the quakespasm svn repository as of rev. 902:
http://sourceforge.net/p/quakespasm/code/902/

[mh]

stuffcmd save pak0.pak

Just saying.

Bye again!

[szo]

stuffcmd save pak0.pak

Well, no longer an issue with quakespasm which will give you a nice and valid pak0.pak.sav now.

[jitspoe]

stuffcmd save pak0.pak

Just saying.

Bye again!

Can you save in a multiplayer game?

[Spike]

stuffcmd(self, "disconnect;maxplayers 1;deathmatch 0;coop 0;map start;save pak0.pak;quit\n");
yes, you can save in a multiplayer game.

[Spirit]

Or just send "record pak0.pak".

I hope it is clear that this affects all commands/cvars where filenames are supplied by the user!

[qbism]

Could happen in SP with an evile progs.dat.

[jitspoe]

stuffcmd(self, "disconnect;maxplayers 1;deathmatch 0;coop 0;map start;save pak0.pak;quit\n");
yes, you can save in a multiplayer game.

Touche.

On the plus side, it looks like this was fixed in Quake2, so idtech2+ based engine users shouldn't have to worry.

[r00k]

Looks like Joe fixed this in JoeQuake long ago,

Code: Select all

void COM_ForceExtension (char *path, char *extension)