[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] RE: CVE Request -- Quake II Server -- two security issues affecting also Alien Arena
From:       "Richard Stanway" <r.stanway () gmail ! com>
Date:       2010-03-29 17:11:32
Message-ID: AB049C24AA5940DABEC6E22FD52675B8 () r1
[Download RAW message or body]

Hello,

>    -------------
> 
>    B, "Server-side cvar expansion:
>        By passing an unexpanded string containing $macros to the
>        server, the server will expand it using it's cvars. This can
>        be used to leak sensitive information such as the 
> rcon_password cvar."
> 
>    Proposed patch: N/A
>    ---------------
> 
>    Richard, is there a patch for this issue yet?

I am unfamiliar with Alien Arena, but in the original Quake II engine code,
this bug is in the sv_user.c SV_ExecuteUserCommand function.

The following line is incorrect:

	Cmd_TokenizeString (s, true);

The 'true' specifies that the server should expand $macros in the string,
this is what allows the client to see the values of server-side cvars. The
fix is simply to change true to false:

	Cmd_TokenizeString (s, false);

On the same function, you should also verify that the string 's' does not
contain any 0xFF bytes, as if these are sent over the net to other clients,
it will cause them to think the server message has ended prematurely and
disconnect from the server.

The list of Quake II engine bugs posted on the QuakeDev forums is not 100%
complete unfortunately, especially as it only lists server exploits. There
are numerous issues with the client code that a malicious server could
exploit to cause buffer overflows with arbitrary code execution. I would
recommend you download my R1Q2 engine source from
http://www.r1ch.net/stuff/r1q2/src/ and grep for any "//r1" comments as all
the security fixes are documented in the source.

Regards,

Rich.

[prev in list] [next in list] [prev in thread] [next in thread]