| Name | Severity | Details | | Example Exploit |
| Server-side cvar expansion | High | By passing an unexpanded string containing $macros to the server, the server will expand it using it's cvars. This can be used to leak sensitive information such as the rcon_password cvar. | | At the client console: "say $rcon_password" |
| Multiple auto downloading DoS conditions | Medium | By supplying various invalid parameters to the download command, it is possible to cause a DoS condition by causing the server to crash. A path ending in . or / will crash on Linux. Supplying a negative offset will cause a crash on all platforms. | | At the client console: cmd download maps/ |
| cmd_args buffer overflow | High | The tokenizing function that splits up a string fails to check the length of a string before copying it into a 1024 byte buffer. An attacker can supply a long string that will cause a buffer overflow condition, overwriting the command function pointer table, allowing for a pointer overwrite into arbitrary code. | | Not available. |
| Cbuf_Execute buffer overflow | Medium | The command buffer allows up to 8192 bytes of pending commands. When a command is executed, it is copied from the command buffer to a new buffer of 1024 bytes on the stack. No length checking is performed before the copy, allowing for a buffer overflow. Arbitrary code execution is confirmed possible. This is not as high a risk as there is no way for a client to manipulate the command buffer remotely other than through rcon. | | Not available. |
| configstrings/baselines DoS | Medium | By supplying a negative index to the configstrings or baselines command the Quake II server will access invalid memory and crash. | | At the client console, during connection process: cmd baselines x -1000000 (x being the servercount variable) |
| Fake clients DoS | Medium | The Quake II server does not limit the number of connections from a single IP. Since only 2 packets are required to initiate a connection that will by default take two minutes to time out, it is possible to attack the server by sending multiple requests and filling up all available player slots. | | See http://aluigi.altervista.org/fakep.htm |
| Auto downloading file leakage (Win32) | High | The download command does not properly validate a path. Due to the nature of Win32 paths, it is possible to subvert the check that requires a file to come from a subdirectory, allowing download of sensitive files such as server.cfg or qconsole.log. | | At the client console: download \/server.cfg |
| Arbitrary filesystem browsing | High | The "link" console command permits the dangerous creation of links containing paths outside of the Quake II tree. A client with the rcon_password, perhaps gained from one of the above exploits is able to browse and download any file on the host machine. | | At the client console:
rcon link foo /etc
download foo/passwd |
| Client state structure damage | Medium | When a player reconnects to the Quake II server, it will try to find an existing slot. However if such a slot exists, it is not properly checked to see if the client has properly disconnected, resulting in an overwrite of old client state. This may have a negative impact depending on the mod. | | Not available. |
| Console command buffer overflows | High | Many console commands issued from the console or rcon are susceptible to buffer overflows. If an unauthorised user has access to the rcon_password perhaps through one of the above exploits, it may be possible to execute arbitrary code. | | Not available. |
| Spoofed 'info' query attack | High | The 'info' connectionless packet command replies with the string 'info hostname: wrong version' if the client sends an invalid version number. By spoofing the source address of the UDP packet, it is possible to cause two servers to get into an infinite loop sending and receiving info packets to each other, consuming CPU and network resources. | | Not available. |
| Localhost source address DoS (Win32) | Medium | By spoofing a source address of the local machine, it is possible to cause a server to get into an infinite loop sending and receiving packets to itself, consuming 100% CPU time. | | Not available. |
| 'begin' respawn cheat/exploit | Low | By recording and using the servercount variable, a client can issue multiple 'begin' commands. This has the effect of respawning the player as if they had just entered the game, including usually a line of text. | | Not available. |
| 'info' command output bug | Low | The client "info" command incorrectly sends output to the server console instead of to the client. This can be used by the client to fill the server console and log files with useless information. | | At the client console: info |
Author
Logged
