Remote Quake Server CVAR Leak

Discussion in 'other security issues & news' started by Paul Wilders, Jun 4, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Jul 1, 2001
    The Netherlands

    A security vulnerability in Quake II servers allows a remote attacker to gain sensitive information on the remote Quake server by sending it "unprocessed" CVARs causing them to be replaced by the server with their appropriate values.


    Vulnerable systems:
    Quake II Server versions 3.20 and 3.21

    A problem exists in the Quake II server for any OS discovered by 'Redix' that allows server CVARs containing sensitive information to be leaked. By using a modified client that does not locally expand "$" macros, it is possible to send a command such as 'say $rcon_password' to the server. This will then be expanded to reveal the servers rcon password, which can be used to do further attacks, not least of which include viewing the directory structure of the machine via 'rcon dir' and being able to execute any q2 server commands, some of which produce file output.


    source: securiteam
Thread Status:
Not open for further replies.