Bugtraq mailing list archives
QuakeI server serious hole (yawn)
From: chris () ferret lmh ox ac uk (Chris Evans)
Date: Mon, 6 Apr 1998 23:38:42 +0100
Hi, Lastest in the series of "Quake security holes". I hope this is (publicly) new info at least. First let me note ID appear to be aware of the hole, as it appears to be fixed in server 1.07+. 1.06 appears vulnerable. You can do better than DoS with this one; you can compromise the account the server is running under. In the case of NT servers, this probably means complete compromise. Basically, it appears that the message string given in a "tell" command is stuffed into a buffer on the stack with no bounds checking. Tests seem to show this buffer at 64 bytes (to the nearest power of two). ie, log onto your favourite quake server, at the console type tell noone sdfhkajsdhfkjasdhfkjsahdfkjfkjasdhf <- fill up the line with some crap *CRASH*. Better upgrade... if I'm bored one day I'll write an exploit. NOTE. The average NT server appears to be running vulnerable versions. On Linux v1.07 is _much_ more common. I've got some more quakeI holes coming up soon... Chris
Current thread:
- Re: AppleShare IP Mail Server, (continued)
- Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
- Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
- Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
- mailrc and pine security holes Michal Zalewski (Apr 05)
- ICQ Spoofer Seth McGann (Apr 05)
- Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- Security hole in TMS/SMS standby (Apr 03)
- BSD coredumps follow symlinks Ronny Cook (Apr 02)
- Re: BSD coredumps follow symlinks Ronny Cook (Apr 05)
- QuakeI server serious hole (yawn) Chris Evans (Apr 06)
- The ICQ exploitation Center - www.wpi.edu/~smm/icq Seth McGann (Apr 06)
- Re: BSD coredumps follow symlinks Ariel Biener (Apr 06)