Impulse 31337: From Red Teaming To Hacking Quake - Mateusz Kocielski

[Applause] Thank you. So uh by day I'm working at logical trials where I'm doing uh penetration testing and red teaming and this is uh what I'm going to present today. But by night I I also spend some time on open source projects helping them to be more secure. I'm not going to ask you if you know the NetBSD Pro project because it's always a sad moment to me. But uh let me ask you, have you ever played Quake before? Like the f first version of Quake, Quake One. Great. So uh we're going to uh play it again. Uh also I play CTS in one of the best check teams in uh currently. uh we are now

in if you want to help us to keep that uh place then just find us and tell that you want to play w with us cuz otherwise uh check cyber team is going to catch us by the end of the year so we will greatly appreciate that and uh as pro promised I'm going to talk a little bit about red teaming uh you might wonder what what is the connection between this picture and red teaming Actually this is the only picture in public domain of red teaming I managed to find in the internet. Uh but the story is that we we were contracted by the company uh who which told us that we can do anything we

want even kidnapping people except like three people from board because they need some uh legal representation a few people from it uh because only them knows how know how the uh production is working but besides that that there were no limits As you can see, I'm not a kidnapper. Uh so we decided to go with slightly different uh approach. Oops, not this one. So uh good to recognance is uh a foundation of of every successful red teaming. And uh when we did that, we found out that only uh two services are publicly available in the internet for everyone. And the first one was this service. Can you uh tell me what is the software that we have

encountered just to see if you are still uh with me? Yes. And what it's open SSH and the second question is what is the probability of finding uh zero day in open SSH to gain a shell like almost zero right? So likely if we found something I would not be here, right? Cuz I either I'm going to be ve very rich or famous. So it wasn't open SSH. So the second service was uh Apache server with static HTML website. So what is the probability of finding a zero day that will uh let you to gain shell in Apache? Slightly I would say that slightly bigger than uh in open SSH but still zero right. So at that point I

started to be a little bit nervous and I uh signed up for to gym just you know to build muscles to kidnap pe people. But uh when I was at gym, I thought that m maybe we overlooked something and I started to browse you know the internet and uh looking for for tra traces of the domain that was in the target blah blah blah and we found out uh some logs from IRC servers for younger people who are not aware what is IRC. IRC is basically a slug but for old people. So, uh I am quite old. I don't use Arch by the way, but uh we found out that uh on some Quake channel, one guy was

inviting somebody to play, uh on a server that was in the domain that was in the scope of our uh red teaming exercise. So, I thought, hm, let's give it a try. At the time, I was also a Quake player. I played almost daily. So I did it quickly and uh we successfully connected to a quake uh server. So h among all the services that we have found like uh Apache, Open SSH, Quake and maybe Kidnapping people, what do you think? What is the easiest way to gain a shell? Likely it's going to be Quake, right? uh like the game itself was released in uh 1996. Uh and can you recognize this man? He's very famous programmer. Yes, he's a

John Carmarmac. He's one of the biggest players in game programming. Right now he's uh retired from uh game programming, but he's still uh active in computer science. But he was a uh a tough guy at at the time and you can uh say that because I'm not sure if you see the keyboard that uh that he had but uh when I showed this picture to my friend he went crazy because he is a hardcore keyboard fan and it's a IBM something something model and if you own this one you are the you're the guy and you can also uh see that because the CRT um monitor that he he had at the time was huge. So he was somebody right? But he

also uh was computer wizard but also uh computers were present uh in his life since since uh almost since the beginning because when he was 14 he tried to steal Apple 2 computer from his school and he end up in juvenile detention center for a year. So he was ready to sacrifice a lot uh for computers. And there was also another uh team member in ID software. Can you recognize this man? What what is his name? No, it's not David Hazahov. However however uh could be right. I if if we'll make a movie about life of this man, we can hire Huzleho. So any other ideas? Sorry. [Music] Yeah. Well, this is John Romero that was

uh responsible for uh game design, level design, etc. Uh so he's he's also quite known in in game world. and sorry it should be final as uh final Doom icon maybe I let's discuss it later. So both of them wanted to make uh after Doom they thought that maybe it's time for a Dungeons and Dragons uh themed game and uh they tried to do it but because of some constraints they were forced to release the game and maybe it's time for me to shut up and just show you show you the game. It's not just the Dungeons and Dragons game. Thank god. So maybe I will show you a single player cuz at the beginning single player was the most

important part of the game. Uh basically it's the first really 3D game uh that was released. And how many of you prefer Duke Nukem 3D uh uh instead of Quake? Okay, so I need to memorize your faces because I hate uh Duke Nukem 3D and 3D in Duke Nukem was a fake one because uh Duke Nukem 3D wasn't a real 3D game, right? Because monsters uh were not 3D models. It was just uh sprite or something like this. So I will just quickly show you how the game looked like. Uh, it's going to be brutal. So, if you're sensitive, please close your eyes. So, it's, as I said, full 3D. There are some fun things, bad things. And when my

uh son was observing uh how I prepared to this talk, I told him to not look at the screen because there is blood. And he he was like where? So uh as you can see the game was really brutal and was you know uh it had bad press right because uh it will uh cause the damage to young people blah blah blah and single player was so so I it's fun to play but not not as fun as multiplayer game. So let's get back to the pre presentation to show the uh other um advantages that Quake had. Uh oh yes and uh one important thing is that uh ID software that re released Quake after few years when they think

that game is irrelevant anymore they release a source code uh on some liberal license like for example in this uh Quake was released under GPL uh license and it let people to port it to many many platforms. For some reason, somebody made a uh a port to oscilloscope. We are not going to uh analyze it, but I think that re recently Doom was ported to pregnancy test, right? I'm not sure. Fact check it, but I'm pretty sure it's true. So, uh thanks to uh that it the game was released open source. uh it is alive till today and the uh version of Quake I showed you is uh easy quake that is pretty standard uh Quake

clinging these days but it's still played online in many countries including uh Czecha I'm aware that there are some players from Czecha here in uh in in the room you can try to uh reveal them but uh there are more trivia about the came. Uh, so the guy right here is John Carmarmac. Here is an Wang. Uh, and they were uh, ID software uh, employees. And uh, I'm not sure who is this creature, but the red eyes are haunting. But I wanted to ask about this guy. Yes, it's Resnner who is very famous uh, person in industrial scene. Uh, I think that he's going to play with 9in nails a show in Turkey this year. I think so. At least he's going to

Poland. I'm from Poland, so I'm proud of it. But likely he will try to uh make a show here, too. Anyway, he uh so he wrote a soundtrack to to Quake and the deal was that ID Software couldn't uh advertise the advertised the game that uh uh Nish made a made um soundtrack to the game. It was just a uh audio CD uh because like C CD with the game had had two tracks. One was the data track and audio CD and audio CD was done by 9 in nails. It's a dark ambient uh album and you shouldn't listen to that if you are alone at home because it's haunting. And also what is nice that recently they

released a vinyl version of it and because uh there was uh two like vinyl could uh vinyl had like four sides and only three sides were u allocated to the music. A for site was used to uh it contains the code of the game but for some reason they uh make it uppercase so it won't compile but it's cool anyway right so so yeah so we we decided to hack Quake or try to constraints and one of the biggest constraints that constraint that we have is that uh we weren't looking for a memory corruption bugs. Uh this is a classic article that was uh released in FRA magazine. I'm pretty sure you know this one. It's smashing stack for fun

and profit. And uh at the moment of release of Quake, Karmach was aware that memory corruptions are bad, but maybe he wasn't aware that they can lead to remote code execution. But uh anyway exploiting a memory corruption uh from the remote uh can be non trivial task and we had may maybe we had just one shot to do it because otherwise we can crash the server and we weren't sure if it's going to auto start or not. So we decided to uh not reinvent the wheel and browse the again we search the internet and maybe I'll show you something important before I go further with the story. I prepared a local version of uh server

[Music] um and modern quake servers are based on two components. First is called MVDSV which is a basic uh server. It's just a plain server that let let you play very basic uh uh types of game but also there is a KTX that adds more functionalities to the to this server. So you can instead of playing free for all you can play like two on two or one on one on four or four or capture the flag blah blah blah. So basically if you are a modern Quake layer you want to play on a on a server that consists of those two components KTX and MVDSV. So instead of trying to uh find a zero day, we thought that maybe there

are some known issues and we decided to browse uh quake forum and we found that one uh guy from Brazil uh wrote something interesting that there is some bug in a quake that let you to uh issue commands on the server shell whatever it means because there were like the uh whole uh thread does not contain any uh useful information where the bug is uh or if it's true or not. But we decided to uh to uh correlate a date of the post with a commits. And we found out that there is something interesting there like one of the lines is commented. And what is important here? I will try to make it a little bit

uh larger for you. Can you see it from the last row? Yeah. So it says that warning full access to server console. H it looks suspicious. So maybe it's something around there. So uh basically this uh line is executed if you are in something called airon mode and aircon stands for I think remote control or something like this. So basically you need to be a server administrator. So the question is how to become uh a server administrator. But before I show you the bug, I want to do a quick uh 101 uh crash course of uh Quake protocol. So if client connects to the uh server, it sends information some basic information about the player, the

name uh color of uh pants, color of shirt and some other variables and those variables are uh prefixed with a star. For some reason they uh they designed the protocol that that way. So I started to uh reading the code and maybe it's a little bit too big right now because I'm pretty sure you are not fluent in C at least not after uh 8 hours of the conference. So let me briefly tell you what the code does here. So there is a command to change a current mode of the game. So uh you can change from a normal mode to a administrator mode. And unfortunately when we look at the code it turned out

that indeed the there is a bug because there is a bug here because it doesn't use uh well the bug is here uh because it doesn't use uh constant time uh checking. So we can get uh a one bit of information like how uh many bits of the password bytes of the passwords are good or not but it like it will require few billions probes. So maybe it's not the way to to hack it right cuz from cryptography point of view it's a deadly mistake but to be honest in our red teaming it wasn't an option. So I decided to read the whole code and I found something interesting that there was a small fraction of this uh function

that let you to set the last mode uh you had before like uh if you for example was an admin administrator and issue a command give me a last mode it will make you an administrator again. So uh there is a small logic bug that when you connect to this server you can say that my last mode was administrator mo mode. So if you issue the command command you will become a server administrator and somebody thought that it can be an issue and wrote uh sanity check for that but over the years it got commented for some reason I don't know why. So let's try to exploit it and become uh server administrator. So to do that I had to

patch uh quake client and this is a patch. So if we connect to a a server, we just declare that uh we want to um like the last mode was four and four stands in quake language to uh airon mode. So let's try to execute it. So I'm connected to to the server and when I'm try to issue a command which is issued by uh subcomand say like for example say status it just say status to all layer on the server. But if I now try to uh use a trick that I just described uh m mode last now uh I see that last mode was aircon. Maybe I'm system administrator not system quake administrator. Right?

So if I issue now say status it executed a status command that is um meant for administrators. It doesn't make any anything important here. But if we are for example administrator we can do something like this and kick people from from from the server. So as a Quake player it's a big deal for me right? So what I did, I brought the issue to the to the company that fired us and told them, hey, you know, you got a big pro problem because there is a quake server and we found a zero day to become or not zero day, but we exploited a bug that uh led us to be a server administrator. So what you can do with it? They asked us

and like we can kick people, ban people, change maps and they told me like okay we can handle it. What do you mean you can handle it? Right. So they told me that we need something [Music] stronger. So what we did we decided to read a whole code of quakes server and we have encountered u interesting part in uh commands that were uh gluing some components with Unix systems. It was running on top of uh Linux. So this code was present on the server and can you smell the bug from this line? What is the problem? Like this parameters are taken from user admin from administrator basically. But we know how to become an administrator. So

the question is if you can spot any issue here. No, no buffer overflow. No memory corruption. No memory corruption. Yes, there is a basically a shell injection because this argument is passed to a system function that simply uh run it as almost as a as a shell script. So we can put here some uh characters like pipes etc. and try to execute different comments. So if we know how to become administrator, we can try to exploit it. So let's try to do it.

Um let me connect to the server again. Okay. So first I need to become a server administrator. So I will use M mode last to become administrator and we are in air mode. And now I'll try to spawn a shell. I assume that netcut that is basic tool is already present on the server but there are many many ways to plant a uh reverse shell or shell whatever. There is just one of the ways and it's good enough for uh our presentation purposes. But first of all, I would like to show you that I'm not lying. When I'm when I try to connect to port 99999, it says that uh connection is refused because nothing is listening

there. So let's try to run netcut on a server to spawn a shell for us. So, I need to execute a script command. Now, I'll do Oh, maybe not that long. And now I put pipe. So, now we can try to use net

cuts. Okay. So, it's a live demo, so I hope it's going to work. Uh do you think it's going it's going to work? Are you with me? Yeah. Thank you. So let's try. Okay. Nothing had happened but in the background maybe uh it was like the shell was spawned. So let's try. And yeah we are on the server. So we exploited Quake to make a a remote shell. Great. [Applause] But it's not the end of the uh story cuz now we are sitting on zero day back which is quite trivial but still it's a zero day bug and the problem at at at the time when we found it is that it was almost a buttonware so everyone was

using the code but nobody was responsible for for it anymore. Like there were many uh GitHub repositories that contain that code and we didn't really know what to do. So we decided to choose the most start GitHub uh repository and contacted the uh the owner and let him know that there there is a bug and he was like h it looks bad. So maybe let's try to fix it but in a way that nobody knows there is a bug. Okay. Like it's fair fair enough since nobody was responsible for it and we didn't want to make a quake apocalypse then okay let let's do it that way. So I wrote a patch we uh committed it. It was ma merged but the

uh commit me message was like do not use system or something like that. So the commit me message was a little bit obscure and people started asking what's going on and if you remember Brazilian guy oops too far whoops for if you remember Brazilian guy he found this thread and was really shocked that we are professionalizing KTX. So he knew he knew. So the bug was fixed uh a long time ago and because we as I said we didn't want to uh make a quake apocalypse that's why we kept this uh for years and didn't talk about it and and the end of the story of the red teaming was that uh we really got uh

root access to the server but it was just a virtual machine with nothing else. But the problem was that the administrator of the of the uh server took the VM image from a mother image that contains some the same credential as the other machines. Right? So we were able to reuse credentials and attack the rest of the infrastructure. And now if you are going to play Quake today or in the future or you haven't uh finished a single player game then close your eyes because I'm going to show you the last slide. It's the quake ending. So if you end the the game it's all that was waiting for you. So I salute to you that

you were with me during the journey. Thank you very very much. And if you have any questions, I'm ready to answer, but I also be around. So, thank [Applause]

you. Do you have any questions or remarks? Yeah, there is a question.

turn on the microphone. Yeah, thank you. So, uh it looks complicated, but to be honest, it took us like two days because, you know, the code from ID software was uh pretty robust code. But the problem with the repositories I showed is that uh a lot of people started to commit random code to it. So, it wasn't consistent and there was a lot of really basic mistakes. But, uh, the one I showed you was just the the easiest to exploit, but there were many more. So, it was rather easy. It looks complicated, but it took us like two two days. Any other questions here? You can wait for the microphone cuz just wondering, I think you

mentioned it, but when did you patch this out? Oh, it was patched like many years ago like almost 10 or something like this. Yeah. So, it's a old story. Yeah. Thanks. But now what's has changed is that not now Quake uh server is maintained by some kind of a group. So all the all the uh repositories finally merged and that there is a group that that is responsible to uh develop it. So that's nice. Any other questions? Oh, there is a question. Oh, at the last row. At the last row.

Yeah, thanks for the talk. Uh, just a quick question. I have a t-shirt at home uh that has Duke Nukem on it. I just wondering if you want it. Uh, yeah. We can burn it tomorrow. So bring it in. Yeah. Okay. No more questions. I'll be around soon. Thank you very much.