CVE-2002-0770
CVSS5.0
发布时间 :2002-08-12 00:00:00
修订时间 :2008-09-05 16:28:54
NMCOES    

[原文]Quake 2 (Q2) server 3.20 and 3.21 allows remote attackers to obtain sensitive server cvar variables, obtain directory listings, and execute Q2 server admin commands via a client that does not expand "$" macros, which causes the server to expand the macros and leak the information, as demonstrated using "say $rcon_password."


[CNNVD]id Software Quake II服务器远程信息泄露漏洞(CNNVD-200208-242)

        
        Quake II是一款由ID Software发布的多用户游戏服务程序,可使用在Linux和Unix操作系统下,也可使用在Microsoft Windows操作系统下。
        Quake II在变量处理中存在漏洞,可导致远程攻击者获得服务器敏感信息。
        攻击者可以通过使用本地扩展"$"宏的修改以后的客户端,发送类似'say $rcon_password'的命令给服务器,可导致Quake II服务器泄露rcon密码信息给攻击者,攻击者可以使用此信息对系统进一步进行攻击,如通过'rcon dir'查看系统目录结构和任意Q2服务器命令。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:id_software:quake_2i_server:3.21
cpe:/a:id_software:quake_2i_server:3.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0770
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0770
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-242
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/970915
(UNKNOWN)  CERT-VN  VU#970915
http://www.securityfocus.com/bid/4744
(VENDOR_ADVISORY)  BID  4744
http://www.quakesrc.org/forum/topicDisplay.php?topicID=160
(VENDOR_ADVISORY)  MISC  http://www.quakesrc.org/forum/topicDisplay.php?topicID=160
http://www.iss.net/security_center/static/9095.php
(VENDOR_ADVISORY)  XF  quake2-unexpanded-var-disclosure(9095)
http://online.securityfocus.com/archive/1/272548
(UNKNOWN)  BUGTRAQ  20020514 Remote quake 2 3.2x server cvar leak
http://www.osvdb.org/11187
(UNKNOWN)  OSVDB  11187

- 漏洞信息

id Software Quake II服务器远程信息泄露漏洞
中危 设计错误
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        Quake II是一款由ID Software发布的多用户游戏服务程序,可使用在Linux和Unix操作系统下,也可使用在Microsoft Windows操作系统下。
        Quake II在变量处理中存在漏洞,可导致远程攻击者获得服务器敏感信息。
        攻击者可以通过使用本地扩展"$"宏的修改以后的客户端,发送类似'say $rcon_password'的命令给服务器,可导致Quake II服务器泄露rcon密码信息给攻击者,攻击者可以使用此信息对系统进一步进行攻击,如通过'rcon dir'查看系统目录结构和任意Q2服务器命令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 在sv_user.c中改变481行为:
        Cmd_TokenizeString (s, false);
        厂商补丁:
        id Software
        -----------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        非官方升级程序下载:
        id Software Quake II Server 3.20:
        BarrysWorld Upgrade quake2-3.21-unofficial_server-linux.tar.gz
        ftp://ftp.barrysworld.com/pub/games/quake2/unofficial_patches/linux/quake2-3.21-unofficial_server-linux.tar.gz
        BarrysWorld Upgrade quake2-3.21-unofficial_server-win32.zip
        ftp://ftp.barrysworld.com/pub/games/quake2/unofficial_patches/win32/quake2-3.21-unofficial_server-win32.zip
        BarrysWorld Upgrade quake2-3.21-unofficial_server-source.zip
        ftp://ftp.barrysworld.com/pub/games/quake2/unofficial_patches/quake2-3.21-unofficial_server-source.zip
        id Software Quake II Server 3.21:
        BarrysWorld Upgrade quake2-3.21-unofficial_server-linux.tar.gz
        ftp://ftp.barrysworld.com/pub/games/quake2/unofficial_patches/linux/quake2-3.21-unofficial_server-linux.tar.gz
        BarrysWorld Upgrade quake2-3.21-unofficial_server-win32.zip
        ftp://ftp.barrysworld.com/pub/games/quake2/unofficial_patches/win32/quake2-3.21-unofficial_server-win32.zip
        BarrysWorld Upgrade quake2-3.21-unofficial_server-source.zip
        ftp://ftp.barrysworld.com/pub/games/quake2/unofficial_patches/quake2-3.21-unofficial_server-source.zip

- 漏洞信息 (21450)

id Software Quake II Server 3.20/3.21 Remote Information Disclosure Vulnerability (EDBID:21450)
multiple remote
2002-05-15 Verified
0 Redix
N/A [点击下载]
source: http://www.securityfocus.com/bid/4744/info

Quake II is a multiplayer game released by id Software. The source code has been made publically available, and versions are available for Windows and Linux. A vulnerability has been reported in some versions of the Quake II server.

While variable expansion is normally performed on the client side, a modified client may pass unexpanded variables such as $rcon_password to the server. The server will expand these variables within it's local context, potentially leaking sensitive information to the remote attacker. 

you must modify your q2 client, that the client will not replace the $... variables in says
quick hack:
in qcommon/cmd.c
change the line
Cmd_TokenizeString (text, true);
to
Cmd_TokenizeString( text, false); 		

- 漏洞信息

9850
Quake 2 Server $ Macro Expansion Remote Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2002-05-14 Unknow
2002-05-14 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

id Software Quake II Server Remote Information Disclosure Vulnerability
Design Error 4744
Yes No
2002-05-15 12:00:00 2009-07-11 12:46:00
Published by Redix.

- 受影响的程序版本

id Software Quake II Server 3.21
id Software Quake II Server 3.20

- 漏洞讨论

Quake II is a multiplayer game released by id Software. The source code has been made publically available, and versions are available for Windows and Linux. A vulnerability has been reported in some versions of the Quake II server.

While variable expansion is normally performed on the client side, a modified client may pass unexpanded variables such as $rcon_password to the server. The server will expand these variables within it's local context, potentially leaking sensitive information to the remote attacker.

- 漏洞利用

Redix has contributed exploit details:

you must modify your q2 client, that the client will not replace the $... variables in says
quick hack:
in qcommon/cmd.c
change the line
Cmd_TokenizeString (text, true);
to
Cmd_TokenizeString( text, false);

- 解决方案

An unofficial patch has been contributed by Redix:

change line 481 in sv_user.c to
Cmd_TokenizeString (s, false);

Unofficial updates are also available.

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


id Software Quake II Server 3.20

id Software Quake II Server 3.21

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站