Home page logo

bugtraq logo Bugtraq mailing list archives

QuakeI server serious hole (yawn)
From: chris () ferret lmh ox ac uk (Chris Evans)
Date: Mon, 6 Apr 1998 23:38:42 +0100


Lastest in the series of "Quake security holes". I hope this is (publicly)
new info at least.

First let me note ID appear to be aware of the hole, as it appears to be
fixed in server 1.07+. 1.06 appears vulnerable.

You can do better than DoS with this one; you can compromise the account
the server is running under. In the case of NT servers, this probably
means complete compromise.

Basically, it appears that the message string given in a "tell" command is
stuffed into a buffer on the stack with no bounds checking. Tests seem to
show this buffer at 64 bytes (to the nearest power of two).

ie, log onto your favourite quake server, at the console type

tell noone sdfhkajsdhfkjasdhfkjsahdfkjfkjasdhf <- fill up the line with
                                                  some crap

*CRASH*. Better upgrade... if I'm bored one day I'll write an exploit.
NOTE. The average NT server appears to be running vulnerable versions. On
Linux v1.07 is _much_ more common.

I've got some more quakeI holes coming up soon...


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]