[NT] Quake 2 Server Format String (Lithium II)
From: SecuriTeam (support_at_securiteam.com)
Date: 09/08/05
- Previous message: SecuriTeam: "[UNIX] ncpfs Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 8 Sep 2005 13:49:57 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Quake 2 Server Format String (Lithium II)
------------------------------------------------------------------------
SUMMARY
" <http://www.planetquake.com/lithium/> Lithium II is a very configurable
server-side deathmatch modification for Quake II." By crafting a special
nick name it is possible to cause a format string attack under Quake 2
Lithium.
DETAILS
Vulnerable Systems:
* Quake 2 Lithium II version 1.2
Quake 2 Lithium does not not filter the nick name that users selects for
themselves. Creating a nick name such as %999f%f%f%f%f allow real number
to overflow their range and cause a carry flag.
The format string is entered to the stuck as following:
004144A1 |. 68 E821AF00 PUSH QUAKE2.00AF21E8 ;
ASCII "0.000000 0.000000 0.000000"
The format string takes place when a user is been killed, and the server
caused an invalid page fault in module <unknown> at 0000:3030302e.
ADDITIONAL INFORMATION
The information has been provided by <mailto:nukemmeister@gmail.com>
sinNULL.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] ncpfs Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [UNIX] Dropbear SSH Server Format String Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... A remotely exploitable format
string vulnerability exists in the default ... configuration of the Dropbear SSH Server
up until version 0.35, ... will fail before the vulnerable code is executed, but the methodname
may ... (Securiteam) - [UNIX] Perdition IMAP Proxy str_vwrite Format String Vulnerability
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... Perdition IMAP Proxy str_vwrite
Format String Vulnerability ... the actual number of format identifiers is compared
to ... (Securiteam) - [NEWS] VideoLAN VLC Buffer Overflow and Format String
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... VideoLAN VLC Buffer Overflow and
Format String ... Buffer-overflow in the handling of the subtitles ... VLC
is able to handle the subtitles automatically in a very simple way, ... (Securiteam) - [UNIX] CDE Mailer argv[0] Format String
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... CDE Mailer suffers from a format
string vulnerability due to improper ... Solaris implementation of CDE Mailer. ...
(Securiteam) - [UNIX] Metamail Format String and Buffer Overflows Vulnerabilities
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... Metamail implements
... The first format string bug occurs when a message has a ... (Securiteam)
