At 06:22 PM 12/24/97 -0500, you wrote: >Hello bugtraq readers, this message will detail a security flaw in >Id Software's game, Quake II. > >When a user runs a Quake II server, the attacker can send a couple of >spoofed udp packets with the return address of 127.0.0.1 to the server >port and this will cause the Quake II server to go into a cycle of trying >to start a game with itself. Thus, the server will crash. > >There is currently no official patch for this problem, however for a >temporary fix, you can setup a firewall and deny all incoming udp packets >from 127.0.0.1 to your Quake II server port. <Source Snipped> ID Software is aware of this problem and is currently working on various other updates and is going to include the fix for this problem in it. They hope to have it released by Sunday (12-28), however since I am not speaking on behalf of them, take not my word but finger johncat_private An exerpt: We are going to release a new quake 2 executable that fixes the malicious server crashing problems Real Soon Now. It also fixes a ton of other problems that have been reported, so we are going to have to give it some good testing before releasing it. Billy
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:32 PDT