Home page logo

bugtraq logo Bugtraq mailing list archives

QuakeI client: serious holes.
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Wed, 8 Apr 1998 07:18:09 +0100


As promised, more QuakeI holes. And I'd put no small number of pints on
the fact there are parallels in QW client and maybe Q2 client.

Basically, the client is careless at parsing certain server messages. This
includes but is by no means limited to:

1) List of precache paths. Each arbitrary length precache string the
server gives the client, is stuffed into a 64 byte buffer ON THE STACK.
Ouch. This conversation of precaching is part of connection.

2) Careless parsing of server name/address etc. when querying status.
Again strings are stuffed into fixed length buffers..

3) Server can as part of protocol give client arbitrary console command.
Of these, at least "map blahblah_bigger_than_64_chars" will cause a
buffer/stack overrun.

Scarily, at least 1) and 3) are still present in _latest_ quakeI client,
1.09, and will be cross-platform execute-arbitrary-code problems.

When will people learn to take especial care in parsing responses from
potentially malicious remote servers. (lynx, ncftp.. etc.)


  By Date           By Thread  

Current thread:
  • QuakeI client: serious holes. Chris Evans (Apr 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]