menu_foot
head_left head_right
QuakeDev Forums -> Engines -> Quake2 Engine/DLL -> Articles -> Topic: List of vulnerabilities in Quake II 3.20 (Server) by R1CH « previous next »
Pages: [1] Print
Author Topic: List of vulnerabilities in Quake II 3.20 (Server) by R1CH  (Read 3431 times)
R1CH
Administrator

Posts: 31



List of vulnerabilities in Quake II 3.20 (Server) by R1CH
« on: March 11, 2005, 07:17:46 PM »

NameSeverityDetailsExample Exploit
Server-side cvar expansionHighBy passing an unexpanded string containing $macros to the server, the server will expand it using it's cvars. This can be used to leak sensitive information such as the rcon_password cvar.At the client console: "say $rcon_password"
Multiple auto downloading DoS conditionsMediumBy supplying various invalid parameters to the download command, it is possible to cause a DoS condition by causing the server to crash. A path ending in . or / will crash on Linux. Supplying a negative offset will cause a crash on all platforms.At the client console: cmd download maps/
cmd_args buffer overflowHighThe tokenizing function that splits up a string fails to check the length of a string before copying it into a 1024 byte buffer. An attacker can supply a long string that will cause a buffer overflow condition, overwriting the command function pointer table, allowing for a pointer overwrite into arbitrary code.Not available.
Cbuf_Execute buffer overflowMediumThe command buffer allows up to 8192 bytes of pending commands. When a command is executed, it is copied from the command buffer to a new buffer of 1024 bytes on the stack. No length checking is performed before the copy, allowing for a buffer overflow. Arbitrary code execution is confirmed possible. This is not as high a risk as there is no way for a client to manipulate the command buffer remotely other than through rcon.Not available.
configstrings/baselines DoSMediumBy supplying a negative index to the configstrings or baselines command the Quake II server will access invalid memory and crash.At the client console, during connection process: cmd baselines x -1000000 (x being the servercount variable)
Fake clients DoSMediumThe Quake II server does not limit the number of connections from a single IP. Since only 2 packets are required to initiate a connection that will by default take two minutes to time out, it is possible to attack the server by sending multiple requests and filling up all available player slots.See http://aluigi.altervista.org/fakep.htm
Auto downloading file leakage (Win32)HighThe download command does not properly validate a path. Due to the nature of Win32 paths, it is possible to subvert the check that requires a file to come from a subdirectory, allowing download of sensitive files such as server.cfg or qconsole.log.At the client console: download \/server.cfg
Arbitrary filesystem browsingHighThe "link" console command permits the dangerous creation of links containing paths outside of the Quake II tree. A client with the rcon_password, perhaps gained from one of the above exploits is able to browse and download any file on the host machine.At the client console:
rcon link foo /etc
download foo/passwd
Client state structure damageMediumWhen a player reconnects to the Quake II server, it will try to find an existing slot. However if such a slot exists, it is not properly checked to see if the client has properly disconnected, resulting in an overwrite of old client state. This may have a negative impact depending on the mod.Not available.
Console command buffer overflowsHighMany console commands issued from the console or rcon are susceptible to buffer overflows. If an unauthorised user has access to the rcon_password perhaps through one of the above exploits, it may be possible to execute arbitrary code.Not available.
Spoofed 'info' query attackHighThe 'info' connectionless packet command replies with the string 'info hostname: wrong version' if the client sends an invalid version number. By spoofing the source address of the UDP packet, it is possible to cause two servers to get into an infinite loop sending and receiving info packets to each other, consuming CPU and network resources.Not available.
Localhost source address DoS (Win32)MediumBy spoofing a source address of the local machine, it is possible to cause a server to get into an infinite loop sending and receiving packets to itself, consuming 100% CPU time.Not available.
'begin' respawn cheat/exploitLowBy recording and using the servercount variable, a client can issue multiple 'begin' commands. This has the effect of respawning the player as if they had just entered the game, including usually a line of text.Not available.
'info' command output bugLowThe client "info" command incorrectly sends output to the server console instead of to the client. This can be used by the client to fill the server console and log files with useless information.At the client console: info

All the above vulnerabilities are fixed in the R1Q2 engine modification. See http://www.r1ch.net/stuff/r1q2/.
« Last Edit: August 20, 2005, 02:39:04 AM by Echon » Logged
Pages: [1] Print 
QuakeDev Forums -> Engines -> Quake2 Engine/DLL -> Articles -> Topic: List of vulnerabilities in Quake II 3.20 (Server) by R1CH « previous next »
Jump to:  
QuakeDev Forums | Powered by SMF 1.0.7.
© 2001-2005, Lewis Media. All Rights Reserved.
Page created in 0.524 seconds with 21 queries.