[NEWS] Remote Quake Server CVAR Leak
From: support@securiteam.comDate: 06/03/02
- Previous message: support@securiteam.com: "[UNIX] Courier CPU Exhaustion (Negative Year)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Mon, 3 Jun 2002 08:35:18 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Remote Quake Server CVAR Leak
------------------------------------------------------------------------
SUMMARY
A security vulnerability in Quake II servers allows a remote attacker to
gain sensitive information on the remote Quake server by sending it
"unprocessed" CVARs causing them to be replaced by the server with their
appropriate values.
DETAILS
Vulnerable systems:
Quake II Server versions 3.20 and 3.21
A problem exists in the Quake II server for any OS discovered by 'Redix'
that allows server CVARs containing sensitive information to be leaked. By
using a modified client that does not locally expand "$" macros, it is
possible to send a command such as 'say $rcon_password' to the server.
This will then be expanded to reveal the servers rcon password, which can
be used to do further attacks, not least of which include viewing the
directory structure of the machine via 'rcon dir' and being able to
execute any q2 server commands, some of which produce file output.
ADDITIONAL INFORMATION
The information has been provided by <mailto:bugtraq@r1ch.net> Richard
Stanway.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Courier CPU Exhaustion (Negative Year)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
