I'm sorry if this has been addressed before, I can't find it.
When you connect to a server, it's possible to autodownload .PK3s, which in turn may contain .DLLs. Wouldn't this allow to take complete control of the machine (install virus, etc.)?
In Quake3, only QVMs (Quake Virtual Machines) were allowed inside PK3s, and those couldn't cause much harm (in fact, this was a motivation behind the .QVM desing, along with portability).
Auto-downloading executable code?
Moderators: Forum moderators, developers
this is possible but , (i talk from my limited programming experiences!)
A) they have to be executed. ET.exe loads the lib's, but it won't load whatever what lib, only the ET libs.
B) Libraries are libraries. They contain functions classes and their definitions and declarations. You can write for instance a function format_c() but i am sure ET.exe will never execute that function.
Again, afaik.
A) they have to be executed. ET.exe loads the lib's, but it won't load whatever what lib, only the ET libs.
B) Libraries are libraries. They contain functions classes and their definitions and declarations. You can write for instance a function format_c() but i am sure ET.exe will never execute that function.
Again, afaik.
-
Anonymous2
- Posts: 3
- Joined: Sat Mar 18, 2006 5:20 pm
-
Anonymous2
- Posts: 3
- Joined: Sat Mar 18, 2006 5:20 pm
Of course somebody needs to run a malicious server for this to happen.
What is not so "of couse" is that this should be allowed: games should *NEVER* autodownload executable code. Servers are not to be trusted, anybody may run a malicious one.
So everytime you connect it's a lottery :'(
OTOH, I doubt the media handling code (images, models, maps, PK3 ZIP itselves) is free of buffer overflows of stuff like that so you'd have more attack vectors over there... It's not like it doesn't crash on invalid/random data/garbage.
Oh well, I guess the safest thing to do is run ET.exe with very limited user account permissions... but I guess PB will get angry... bah
What is not so "of couse" is that this should be allowed: games should *NEVER* autodownload executable code. Servers are not to be trusted, anybody may run a malicious one.
So everytime you connect it's a lottery :'(
OTOH, I doubt the media handling code (images, models, maps, PK3 ZIP itselves) is free of buffer overflows of stuff like that so you'd have more attack vectors over there... It's not like it doesn't crash on invalid/random data/garbage.
Oh well, I guess the safest thing to do is run ET.exe with very limited user account permissions... but I guess PB will get angry... bah
Re: Auto-downloading executable code?
Short answer is yes. ET extracts and runs the cgame and ui dlls from a .pk3 file in fs_game. (I assume it uses the first .pk3 it finds in the search order with these .dlls, although I haven't actually tested multiple .pk3 files with the .dlls in them. The search order is normally reverse alphabetical.)Anonymous2 wrote:I'm sorry if this has been addressed before, I can't find it.
When you connect to a server, it's possible to autodownload .PK3s, which in turn may contain .DLLs. Wouldn't this allow to take complete control of the machine (install virus, etc.)?
FWIW, qvms had vulnerabilities too. AFAIK, the main motivation for QVMs was portability rather than security. There certainly have also been bugs where invalid data from the server could cause an overflow on the client.In Quake3, only QVMs (Quake Virtual Machines) were allowed inside PK3s, and those couldn't cause much harm (in fact, this was a motivation behind the .QVM desing, along with portability).
You should be able to still run ET on a very limited account under linux. If you are very paranoid, you might be able to run it under something like vmware.Oh well, I guess the safest thing to do is run ET.exe with very limited user account permissions... but I guess PB will get angry... bah
You can also turn auto downloads off, and then manually download any files required by the server. That way you can ensure that you get any mods from their authors official site, rather than the server.
send lawyers, guns and money
-
=FF=im2good4u
- Posts: 3821
- Joined: Wed Feb 05, 2003 7:30 am
- Location: The Netherlands, HOLLAND
- Contact:
if u got multiple packs the dlls are loaded just like any other things in a .pk3 is laoded
first out of the fs_dir if not fonud i tryis "etmain"
if more thne 1 match in the fs_game tthen it will look at the name of the .pk3 like files whit zzzz will be laoded over aaaa
but yeh its indeed a risk and i also hears something aout et downloding and running artbinary code or wutever it was lol.
first out of the fs_dir if not fonud i tryis "etmain"
if more thne 1 match in the fs_game tthen it will look at the name of the .pk3 like files whit zzzz will be laoded over aaaa
but yeh its indeed a risk and i also hears something aout et downloding and running artbinary code or wutever it was lol.
<a href="http://bunnyherolabs.com/adopt/showpet. ... dQ=="><img src="http://petimage.bunnyherolabs.com/adopt ... Q0dQ==.png" width="80" height="100" border="0"></a>
Re: Auto-downloading executable code?
quake3 allowed DLLs inside pk3s also. in fact it looks for a dll before it looks for a qvm.Anonymous2 wrote:I'm sorry if this has been addressed before, I can't find it.
When you connect to a server, it's possible to autodownload .PK3s, which in turn may contain .DLLs. Wouldn't this allow to take complete control of the machine (install virus, etc.)?
In Quake3, only QVMs (Quake Virtual Machines) were allowed inside PK3s, and those couldn't cause much harm (in fact, this was a motivation behind the .QVM desing, along with portability).
it is possible to break out of QVMs and cause damage though.
if you dont trust a server, dont connect. simple as that. same goes for everything else on the intarweb.