Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   Quake Vendors:   id Software, Inc.
Quake II Game Server May Disclose Sensitive Information, Including Passwords, to Remote Users
SecurityTracker Alert ID:  1004322
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2002
Impact:   Disclosure of authentication information, Disclosure of user information
Exploit Included:  Yes  
Version(s): Quake II Server; 3.20, 3.21
Description:   An information disclosure vulnerability was reported in Quake II. A remote user can send specially crafted commands to the server to cause the server to disclose potentially sensitive information.

It is reported that a remote user with a modified client can send commands containing '$' macro characters to the server to cause the server to attempt to expand the command, replacing the macro items with their server values. This may result in the server disclosing the contents of arbitrary user-specified cvars. A demonstration exploit command is provided:

'say $rcon_password'

This will cause the server to disclose the rcon password. In this particular example, a remote user with the rcon password could view the directory structure on the target host and could execute any q2 server commands.

This bug was reportedly discovered by 'Redix'. See the original message for more information:

Impact:   A remote user can cause the server to disclose user-specified cvars. These may include sensitive contents, including passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Remote quake 2 3.2x server cvar leak

A problem exists in the Quake II Server for any OS (probably all versions;
tested 3.20 and 3.21) discovered by 'Redix' that allows server cvars
containing sensitve information to be leaked. This has been known for a
little over 2 months, I run several Q2 servers and only learned of it today
which is why I decided to post to bugtraq. By using a modified client which
does not locally expand "$" macros, it is possible to send a command such as
'say $rcon_password' to the server. This will then be expanded to reveal the
servers rcon password, which can be used to do further attacks, not least of
which include viewing the directory structure of the machine via 'rcon dir'
and being able to execute any q2 server commands, some of which produce file
output. has details of the affected line of
source as well as patched binaries for Win32 and linux. The original thread
in which this is discussed can be found at

Richard Stanway


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC