![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: "Richard Stanway" <bugtraq@r1ch.net> To: <bugtraq@securityfocus.com> Subject: Remote quake 2 3.2x server cvar leak Date: Tue, 14 May 2002 03:48:05 +0100 Hello, A problem exists in the Quake II Server for any OS (probably all versions; tested 3.20 and 3.21) discovered by 'Redix' that allows server cvars containing sensitve information to be leaked. This has been known for a little over 2 months, I run several Q2 servers and only learned of it today which is why I decided to post to bugtraq. By using a modified client which does not locally expand "$" macros, it is possible to send a command such as 'say $rcon_password' to the server. This will then be expanded to reveal the servers rcon password, which can be used to do further attacks, not least of which include viewing the directory structure of the machine via 'rcon dir' and being able to execute any q2 server commands, some of which produce file output. http://www.aq2tng.barrysworld.net/ has details of the affected line of source as well as patched binaries for Win32 and linux. The original thread in which this is discussed can be found at http://www.quakesrc.org/forum/topicDisplay.php?topicID=160. Richard Stanway http://www.r1ch.net/