Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 29 Mar 2010 13:11:32 -0400
From: "Richard Stanway" <r.stanway@...il.com>
To: "'oss-security'" <oss-security@...ts.openwall.com>
Subject: RE: CVE Request -- Quake II Server -- two security issues affecting also Alien Arena

Hello,

>    -------------
> 
>    B, "Server-side cvar expansion:
>        By passing an unexpanded string containing $macros to the
>        server, the server will expand it using it's cvars. This can
>        be used to leak sensitive information such as the 
> rcon_password cvar."
> 
>    Proposed patch: N/A
>    ---------------
> 
>    Richard, is there a patch for this issue yet?

I am unfamiliar with Alien Arena, but in the original Quake II engine code,
this bug is in the sv_user.c SV_ExecuteUserCommand function.

The following line is incorrect:

	Cmd_TokenizeString (s, true);

The 'true' specifies that the server should expand $macros in the string,
this is what allows the client to see the values of server-side cvars. The
fix is simply to change true to false:

	Cmd_TokenizeString (s, false);

On the same function, you should also verify that the string 's' does not
contain any 0xFF bytes, as if these are sent over the net to other clients,
it will cause them to think the server message has ended prematurely and
disconnect from the server.

The list of Quake II engine bugs posted on the QuakeDev forums is not 100%
complete unfortunately, especially as it only lists server exploits. There
are numerous issues with the client code that a malicious server could
exploit to cause buffer overflows with arbitrary code execution. I would
recommend you download my R1Q2 engine source from
http://www.r1ch.net/stuff/r1q2/src/ and grep for any "//r1" comments as all
the security fixes are documented in the source.

Regards,

Rich.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.