Bugtraq mailing list archives
QW vulnerability
From: glennm () MEDIAONE NET (Glenn F. Maynard)
Date: Tue, 7 Apr 1998 19:42:09 -0400
On the same note, QuakeWorld v2.10 (latest) is overflowable in the initial "connect" sequence. The first client->server packet gives the user name, colors, etc: 0xFF,0xFF,0xFF,0xFF followed by (plaintext) -> connect "\name\Glenn\key\data" There is no bounds checking on this connect; netcatting the following will crash the server (although segfault appears trapped; no message is displayed, and no core is left): ' connect "\x\xxxxxxxxxxxxxxxxxx' (repeat "x" as needed; replace the first 4 spaces with 0xFF). I've done no actual testing on the buffer length, and my assembler skills are not enough to give an example exploit. FTR, I've mailed Zoid (current maintainer of QW) multiple times about this (and told him once on IRC); not once have I received a reply. - Glenn F. Maynard
Current thread:
- Re: BSDI inetd crash, (continued)
- Re: BSDI inetd crash FrontLine Assembly (Apr 08)
- SGI O2 ipx security issue Fabrice Planchon (Apr 08)
- BIND vulnerability test program.. Joshua J. Drake (Apr 09)
- (Q) Sun Rpcbind problem. Chiaki Ishikawa (Apr 10)
- Re: (Q) Sun Rpcbind problem. Casper Dik (Apr 10)
- Wietse's RPCBIND Wietse Venema (Apr 10)
- announce: weaken for netscape !! (fwd) Ken Williams (Apr 10)
- Communicator exploits Fernand Portela (Apr 10)
- Sun rpcbind Nicolas Dubee (Apr 10)
- Re: Sun rpcbind Aaron Bornstein (Apr 10)
- QW vulnerability Glenn F. Maynard (Apr 07)
- AppleShare IP Mail Server Chris Wedgwood (Apr 07)
- Re: AppleShare IP Mail Server David Luyer (Apr 07)
- Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
- Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
- mailrc and pine security holes Michal Zalewski (Apr 05)
- ICQ Spoofer Seth McGann (Apr 05)