Date: Wed, 20 Jan 1999 11:32:53 -0900 From: Leif Sawyer To: BUGTRAQ@netspace.org Subject: Quake 2 Server Crash As the admin of a number of quake servers, I get a lot of grief when the servers stop responding. So imagine my shock today when I found this in the log files: (this occurrs multiple times for multiple crashes) *** ------- Server Initialization ------- Lithium II Mod v1.23 Map: q2dm1 Clients: 0 Mode: DM ------------------------------------- [TIMESTAMP] Wed Jan 20 00:57:32 1999 I.Crash.Servers connected I.Crash.Servers entered the game (clients = 1) Jim connected I.Crash.Servers: isnt that cool? Jim entered the game (clients = 2) I.Crash.Servers: f8.4066308.801916-1.997275255795727776554871684441501993271851 9261309972204529857042804295557369695379254160160904297030785333441191234036 372 2499905328180655146669812558216724401294487295256574001965593672278165930946 719 3302374718244644559434141982001968511670514876416.00000036203864208242065706 466 1081185321877918727462818352478172131544629258886053999628422250104238529930 351 3551062118684114774264001292444408779478784277297190716136058182749928079155 891 9394960823549936938384302198920503798602255236931094287764296569603621788156 166 144.000000113657843383457536412624131570413790616376014830719891410806832006 410 5647602260490606393886304550213680577198197497079229103864544867746075566174 424 8634118857431357303292149281287307264.00000011365826244271748860700812453324 708 2259369610998609036742327423814951455723993612423911582418642120996935351355 297 28494071527092059706478174739780605033959907590230450330932499955318784.0000 001 1365826244271748860700812453324708225936961099860903674232742381495145572399 361 2423911582418642120996935351355297284940715270920597064781747397806050339599 075 90230450330932499955318784 .000000907590230450330932499955318784.00000090.000000000.000000000 %.073741824.00000090.000000000.000000000 %.Master server at 204.182.161.3:27900 *** This causes Dr. Watson to dump out a lot of fun information, which I've already forwarded to id software. I haven't figured out any way to stop this overflow attack, but it doesn't seem to do much else but dump core. I have not attempted to replicate this to other server platforms, but my guess is that they would also dump. -- Leif Sawyer leif@gci.net || lsawyer@gci.com || internic: LS2540 (907) 267 - 0116 || ICQ - 3749190 || http://home.gci.net/~leif Internet System Administrator -- General Communications Inc. PGP Fingerprint: 77 C8 34 B8 FD BC C6 32 5F FE 93 4B AE 6C F7 4E