Quake II Game Server May Disclose Sensitive Information, Including Passwords, to Remote Users - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Game) > Quake

Vendors: id Software, Inc.

Quake II Game Server May Disclose Sensitive Information, Including Passwords, to Remote Users

SecurityTracker Alert ID: 1004322

SecurityTracker URL: http://securitytracker.com/id/1004322

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: May 17 2002

Impact: Disclosure of authentication information, Disclosure of user information

Exploit Included: Yes

Version(s): Quake II Server; 3.20, 3.21

Description: An information disclosure vulnerability was reported in Quake II. A remote user can send specially crafted commands to the server to cause the server to disclose potentially sensitive information.

It is reported that a remote user with a modified client can send commands containing '$' macro characters to the server to cause the server to attempt to expand the command, replacing the macro items with their server values. This may result in the server disclosing the contents of arbitrary user-specified cvars. A demonstration exploit command is provided:

'say $rcon_password'

This will cause the server to disclose the rcon password. In this particular example, a remote user with the rcon password could view the directory structure on the target host and could execute any q2 server commands.

This bug was reportedly discovered by 'Redix'. See the original message for more information:

http://www.quakesrc.org/forum/topicDisplay.php?topicID=160

Impact: A remote user can cause the server to disclose user-specified cvars. These may include sensitive contents, including passwords.

Solution: No solution was available at the time of this entry.

Vendor URL: www.idsoftware.com/ (Links to External Site)

Cause: Input validation error

Underlying OS: Windows (Any)

Message History: None.

Source Message Contents

Date: Tue, 14 May 2002 03:48:05 +0100
Subject: Remote quake 2 3.2x server cvar leak


Hello,
A problem exists in the Quake II Server for any OS (probably all versions;
tested 3.20 and 3.21) discovered by 'Redix' that allows server cvars
containing sensitve information to be leaked. This has been known for a
little over 2 months, I run several Q2 servers and only learned of it today
which is why I decided to post to bugtraq. By using a modified client which
does not locally expand "$" macros, it is possible to send a command such as
'say $rcon_password' to the server. This will then be expanded to reveal the
servers rcon password, which can be used to do further attacks, not least of
which include viewing the directory structure of the machine via 'rcon dir'
and being able to execute any q2 server commands, some of which produce file
output.

http://www.aq2tng.barrysworld.net/ has details of the affected line of
source as well as patched binaries for Win32 and linux. The original thread
in which this is discussed can be found at
http://www.quakesrc.org/forum/topicDisplay.php?topicID=160.

Richard Stanway
http://www.r1ch.net/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC