[Full-disclosure] Re: Files and cvars overwriting in Quake 3 engine (1.32c / rev 803 / ...)

A small correction:

The cd-key stealing is not possible since the master server address is
built-in in the client code.
Sorry for this wrong info, I added it almost two weeks ago while taking
note of the possible ways for exploitating these bugs and forgot to
recheck this method.

I have updated the proof-of-concept simply adding the cl_allowdownload
cvar, so is no longer needed to enable "Automatic Downloading" on the
client since any client with this option disabled or enabled will start
to overwrite any file in the system decided by the server of the attacker
which has full control over the client's cvars (those write protected
too, just like fs_homepath).

As already said the PoC is very very basic, relaunch the server or
change map if you want to re-overwrite the same file on the same client
(useless info, I tell you only in case you are not able to re-overwrite
the same file during the same server session and don't know why).


Luigi Auriemma

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: What doesnt lend itself to OO?
    ... >> proxy and instructs the server to constuct the real object. ... rather than client code. ... If 'clock' is instantiated in the server, ... > for the server interface at the OOA level. ...
  • Re: More Get-IPlayer Questions
    ... to use with mutt mail client. ... antinat - 0.90-4 - Antinat is a flexible SOCKS server and client ... protocol for Sybase or MS SQL Server. ... ifstat - 1.1-1 - InterFace STATistics Monitoring ...
  • This is going straight to the pool room
    ... or not the client has privilege to do what they're trying to do, ... The server environment is this: ... 3GL User action Routines that Tier3 will execute on your behalf during the ... Routine Name: USER_INIT ...
  • [Full-Disclosure] R: Full-Disclosure Digest, Vol 3, Issue 42
    ... Full-Disclosure Digest, Vol 3, Issue 42 ... SD Server 4.0.70 Directory Traversal Bug ... Arkeia Network Backup Client Remote Access ...
  • Re: What doesnt lend itself to OO?
    ... > rather than client code. ... no way to do that without also touching the object with clock semantics ... will not encapsulate both clock semantics and network semantics. ... The server can do whatever it wants ...