OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Richard Stanway (bugtraqr1ch.net)
Date: Mon May 13 2002 - 21:48:05 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,
    A problem exists in the Quake II Server for any OS (probably all versions;
    tested 3.20 and 3.21) discovered by 'Redix' that allows server cvars
    containing sensitve information to be leaked. This has been known for a
    little over 2 months, I run several Q2 servers and only learned of it today
    which is why I decided to post to bugtraq. By using a modified client which
    does not locally expand "$" macros, it is possible to send a command such as
    'say $rcon_password' to the server. This will then be expanded to reveal the
    servers rcon password, which can be used to do further attacks, not least of
    which include viewing the directory structure of the machine via 'rcon dir'
    and being able to execute any q2 server commands, some of which produce file
    output.

    http://www.aq2tng.barrysworld.net/ has details of the affected line of
    source as well as patched binaries for Win32 and linux. The original thread
    in which this is discussed can be found at
    http://www.quakesrc.org/forum/topicDisplay.php?topicID=160.

    Richard Stanway
    http://www.r1ch.net/