On the same note, QuakeWorld v2.10 (latest) is overflowable in the initial "connect" sequence. The first client->server packet gives the user name, colors, etc: 0xFF,0xFF,0xFF,0xFF followed by (plaintext) -> connect "\name\Glenn\key\data" There is no bounds checking on this connect; netcatting the following will crash the server (although segfault appears trapped; no message is displayed, and no core is left): ' connect "\x\xxxxxxxxxxxxxxxxxx' (repeat "x" as needed; replace the first 4 spaces with 0xFF). I've done no actual testing on the buffer length, and my assembler skills are not enough to give an example exploit. FTR, I've mailed Zoid (current maintainer of QW) multiple times about this (and told him once on IRC); not once have I received a reply. - Glenn F. Maynard
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:18 PDT