[ISN] RSI.0001.05-01-98.ALL.QUAKE_SERVER

From: mea culpa (jerichoat_private)
Date: Fri May 01 1998 - 03:12:33 PDT

  • Next message: mea culpa: "[ISN] Network fear-mongering (McAfee/Network Associates)"

    Forwarded From: RSI Advise <adviseat_private>
               |:::.  |::::: |::::.        |::::: |::::: |::::.
               ..  :: ..     ..  ::        ..     ..     ..  ::
               |::::  |::::  |::::  :::::: |::::: |::::  |:
               |:  :: |:     |:               |:: |:     |:  ::
               |:  :: |::::: |:            |::::: |::::: |:::::
                       Repent Security Incorporated, RSI
                           [ http://www.repsec.com ]
    		       *** RSI ALERT ADVISORY ***
    --- [CREDIT] --------------------------------------------------------------
    Vulnerability found by:	 Mark Zielinski <markzat_private>
    Advisory Author:         Mark Zielinski
    --- [SUMMARY] -------------------------------------------------------------
    Announced:     May 1st, 1998
    Report code:   RSI.0001.05-01-98.ALL.QUAKE_SERVER
    Report title:  Vulnerability in the Quake server
    Vulnerability: RCON (Remote Console)
    Patch status:  None currently available
    Platforms:     Quake 1/2, QuakeWorld, Linux/Solaris Quake2
    Reference:     http://www.repsec.com/advisories.html
    Impact:	       If exploited, an attacker could remotely compromise
    	       administrator access on any Quake server.
    --- [DETAILS] -------------------------------------------------------------
    Problem:       The Quake server has a feature where it allows
                   administrators to remotely send commands to the Quake
                   console with a password.  However, it is possible to
                   remotely bypass authentication.
                   In order for this to be exploited, the attacker would
                   have to create a handcrafted udp packet with a header
                   containing the rcon command and the password "tms" with
                   a source IP coming from ID Software's Subnet. (192.246.40)
                   The Quake server does not require an open connection for
                   sending the rcon packet.  When this is exploited, no logs
                   are reported of the rcon command being used.
    	       This vulnerability is present in Quake 1, QuakeWorld,
    	       Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions.
    --- [FIX] -----------------------------------------------------------------
    Solution:      Filter all incoming packets from the subnet 192.246.40.
    --- [PATCH] ---------------------------------------------------------------
    Solution:      No patches are currently available.
    Repent Security Incorporated (RSI)
    13610 N. Scottsdale Rd.
    Suite #10-326
    Scottsdale, AZ 85254
    [ http://www.repsec.com ]
    Version: 2.6.2
    Copyright April 1998  RepSec, Inc.
    The information in this document is provided as a service to customers
    of RepSec, Inc.  Neither RepSec, Inc., nor any of it's employees, makes
    any warranty, express or implied, or assumes any legal liability or
    responsibility for the accuracy, completeness, or usefulness of any
    information, apparatus, product, or process contained herein, or
    represents that its use would not infringe any privately owned rights.
    Reference herein to any specific commercial products, process, or
    services by trade name, trademark, manufacturer, or otherwise, does not
    necessarily constitute or imply its endorsement, recommendation or
    favoring by RepSec, Inc.  The views and opinions of authors expressed
    herein do not necessarily state or reflect those of RepSec, Inc., and may
    not be used for advertising or product endorsement purposes.
    The material in this alert advisory may be reproduced and distributed,
    without permission, in whole or in part, by other security incident
    response teams (both commercial and non-commercial), provided the above
    copyright is kept intact and due credit is given to RepSec, Inc.
    This alert advisory may be reproduced and distributed, without
    permission, in its entirety only, by any person provided such
    reproduction and/or distribution is performed for non-commercial
    purposes and with the intent of increasing the awareness of the Internet
    RepSec, Inc. are trademarks of RepSec, Inc.  All other trademarks are
    property of their respective holders. 
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repend Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:52:21 PDT