Date: Tue, 14 May 2002 03:48:05 +0100
From: Richard Stanway <[email protected]>
To: [email protected]Subject: Remote quake 2 3.2x server cvar leak
Hello,
A problem exists in the Quake II Server for any OS (probably all versions;
tested 3.20 and 3.21) discovered by 'Redix' that allows server cvars
containing sensitve information to be leaked. This has been known for a
little over 2 months, I run several Q2 servers and only learned of it today
which is why I decided to post to bugtraq. By using a modified client which
does not locally expand "$" macros, it is possible to send a command such as
'say $rcon_password' to the server. This will then be expanded to reveal the
servers rcon password, which can be used to do further attacks, not least of
which include viewing the directory structure of the machine via 'rcon dir'
and being able to execute any q2 server commands, some of which produce file
output.
http://www.aq2tng.barrysworld.net/ has details of the affected line of
source as well as patched binaries for Win32 and linux. The original thread
in which this is discussed can be found at
http://www.quakesrc.org/forum/topicDisplay.php?topicID=160.
Richard Stanway
http://www.r1ch.net/
