Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <AB049C24AA5940DABEC6E22FD52675B8@r1>
Date: Mon, 29 Mar 2010 13:11:32 -0400
From: "Richard Stanway" <r.stanway@...il.com>
To: "'oss-security'" <oss-security@...ts.openwall.com>
Subject: RE: CVE Request -- Quake II Server -- two security issues affecting also Alien Arena

Hello,

>    -------------
> 
>    B, "Server-side cvar expansion:
>        By passing an unexpanded string containing $macros to the
>        server, the server will expand it using it's cvars. This can
>        be used to leak sensitive information such as the 
> rcon_password cvar."
> 
>    Proposed patch: N/A
>    ---------------
> 
>    Richard, is there a patch for this issue yet?

I am unfamiliar with Alien Arena, but in the original Quake II engine code,
this bug is in the sv_user.c SV_ExecuteUserCommand function.

The following line is incorrect:

	Cmd_TokenizeString (s, true);

The 'true' specifies that the server should expand $macros in the string,
this is what allows the client to see the values of server-side cvars. The
fix is simply to change true to false:

	Cmd_TokenizeString (s, false);

On the same function, you should also verify that the string 's' does not
contain any 0xFF bytes, as if these are sent over the net to other clients,
it will cause them to think the server message has ended prematurely and
disconnect from the server.

The list of Quake II engine bugs posted on the QuakeDev forums is not 100%
complete unfortunately, especially as it only lists server exploits. There
are numerous issues with the client code that a malicious server could
exploit to cause buffer overflows with arbitrary code execution. I would
recommend you download my R1Q2 engine source from
http://www.r1ch.net/stuff/r1q2/src/ and grep for any "//r1" comments as all
the security fixes are documented in the source.

Regards,

Rich.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.