Date: Thu, 21 Jan 1999 20:41:07 -0600 From: Signal 11 <signal11@MEDIAONE.NET> Subject: Re: Quake 2 Server Crash To: BUGTRAQ@NETSPACE.ORG Leif Sawyer wrote: > I haven't figured out any way to stop this overflow attack, but it doesn't > seem > to do much else but dump core. I saw a similar problem in QuakeWorld, which Zoid fixed about a month later - A user can set a variable name + value using the "set" command in the console to an arbitrary length. I stuck one about 100 char long into a string in autoexec, and loaded up my qwcl client. It reliably crashed any server. *that* bug has since been fixed long ago. A new one I noted atleast as late as 3.19 (I think.), is a derivative. Issue the following at a console for a plain-old CTF server: msg 4 bind c "team red; team blue; team red;team blue;team red;team blue;team red;team blue" pop out of console and start hammering that C key. In about 10-15 seconds, either all the players overflow and drop out of the game, or your screen jitters, the sound skips, and the server comes crashing down. However, that doesn't help you much, as having only 2 players in the game throws this theory out. :/ No doubt it's a buffer-overflow on one of the client-settable variables. Maybe fov ? qwcl also did *not* like negative values. Quake2 might be similar. Now, back to fragging those stupid zbots... But, I'm not a quake coder, so don't hold me to any of this. This was just something I discovered by accident. It's been reported, but nobody at ID seems to care, since Quake Arena is due out soon.... -- signal11@mediaone.net | BOFH, Signal 11 Network | RSA encryption follows: print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<> )]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`