Bugtraq mailing list archives

Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary

From: fluffy () DUNADAN COM (William T Wilson)
Date: Wed, 25 Feb 1998 14:52:15 -0500


On Wed, 25 Feb 1998 kevingeo () CRUZIO COM wrote:

Vulnerable:
Everyone who followed the installation instructions and made Quake2 setuid
root.


To the best of my knowledge, Quake2 suffers from the same bug that squake
suffers from.  You can use the -gamedir option (or its quake 2 equivalent)
to make squake cough up a root shell using a standard buffer overflow
exploit.  I don't believe Zoid altered this for quake 2.  I don't think he
cares about security at all.

I wouldn't install anything of Zoid's setuid root without making it
group-owned by a trusted group and mode 4750.

This new exploit of yours even allows you to do evil things with Zoidware
even if it is installed with a wrapper.  :\  (Unless you want to make your
wrapper check all the file permissions too)

Current thread:

/usr/dt/bin/dtappgather exploit Mastoras (Feb 23)
- Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 24)
- AOL Instant Messanger Bug Aleph One (Feb 24)
- Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files kevingeo () CRUZIO COM (Feb 25)
  - Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary William T Wilson (Feb 25)
- Quake 2 Linux 3.13 - ref_root.so still works kevingeo () CRUZIO COM (Feb 25)
- <Possible follow-ups>
- Re: /usr/dt/bin/dtappgather exploit Steven Goldberg - SE - Seattle WA (Feb 25)
  - Re: /usr/dt/bin/dtappgather exploit J.A. Gutierrez (Feb 25)