Re: QW server hole

From: Chris Evans (chrisat_private)
Date: Tue Apr 07 1998 - 22:30:26 PDT

Next message: Andrew Lun: "[Fwd: BSDI inetd crash]"

Previous message: James W. Abendschan: "Re: AppleShare IP Mail Server"
Next in thread: Mike Hardy: "Re: QW server hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I've looked into the recently reported QuakeWorld server hole for
"exploitability" other than DoS.

It seems the smashed buffer is a static one rather than one on the stack;
when we use a very large string full of 'A' to fill the buffer with, we
don't get a crash due to execution at address 0x41414141.

Indeed instead we find we have trashed some structures with pointers in.
The eventual crash is due to a defererence of 0x10+(0x41414141), in the
function "Z_CheckHeap()".

The actual structure corrupted is called "mainzone", and the actual buffer
smashed is called "com_token" and appears to be exactly 1024 bytes long.

If, as you say, an ID Software employee has ignored your reports of this
bug, then that is _very_ poor.

Cheers
Chris

Next message: Andrew Lun: "[Fwd: BSDI inetd crash]"
Previous message: James W. Abendschan: "Re: AppleShare IP Mail Server"
Next in thread: Mike Hardy: "Re: QW server hole"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:48:21 PDT