Date: Mon, 29 Mar 2010 13:11:32 -0400 From: "Richard Stanway" <r.stanway@...il.com> To: "'oss-security'" <oss-security@...ts.openwall.com> Subject: RE: CVE Request -- Quake II Server -- two security issues affecting also Alien Arena Hello, > ------------- > > B, "Server-side cvar expansion: > By passing an unexpanded string containing $macros to the > server, the server will expand it using it's cvars. This can > be used to leak sensitive information such as the > rcon_password cvar." > > Proposed patch: N/A > --------------- > > Richard, is there a patch for this issue yet? I am unfamiliar with Alien Arena, but in the original Quake II engine code, this bug is in the sv_user.c SV_ExecuteUserCommand function. The following line is incorrect: Cmd_TokenizeString (s, true); The 'true' specifies that the server should expand $macros in the string, this is what allows the client to see the values of server-side cvars. The fix is simply to change true to false: Cmd_TokenizeString (s, false); On the same function, you should also verify that the string 's' does not contain any 0xFF bytes, as if these are sent over the net to other clients, it will cause them to think the server message has ended prematurely and disconnect from the server. The list of Quake II engine bugs posted on the QuakeDev forums is not 100% complete unfortunately, especially as it only lists server exploits. There are numerous issues with the client code that a malicious server could exploit to cause buffer overflows with arbitrary code execution. I would recommend you download my R1Q2 engine source from http://www.r1ch.net/stuff/r1q2/src/ and grep for any "//r1" comments as all the security fixes are documented in the source. Regards, Rich.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.