Remote Quake Server CVAR Leak

Discussion in 'other security issues & news' started by Paul Wilders, Jun 4, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,475
    Location:
    The Netherlands
    Summary

    A security vulnerability in Quake II servers allows a remote attacker to gain sensitive information on the remote Quake server by sending it "unprocessed" CVARs causing them to be replaced by the server with their appropriate values.


    Details

    Vulnerable systems:
    Quake II Server versions 3.20 and 3.21

    A problem exists in the Quake II server for any OS discovered by 'Redix' that allows server CVARs containing sensitive information to be leaked. By using a modified client that does not locally expand "$" macros, it is possible to send a command such as 'say $rcon_password' to the server. This will then be expanded to reveal the servers rcon password, which can be used to do further attacks, not least of which include viewing the directory structure of the machine via 'rcon dir' and being able to execute any q2 server commands, some of which produce file output.

    -----

    source: securiteam
     
    Paul Wilders, Jun 4, 2002
    #1
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...