while we are on the subject of quake bugs, q1 has a nice one
where you send a "reliable" packet on an already connected
client socket with a bogus length (anything larger than 8k
will likely do it) and the server dies with a random error.
it is a buffer overflow, but i dont think its exploitable
without a great deal of work; that buffer is not on the stack.
at least to trigger that bug you either have to basically flood
the target with a forged packet for each possible client
connection port, or reveal your true source address; the q2 bug
is only one packet, and can be sent with any sort of bogus
source address. i *hope* these newest bugs were just not
cleaned up because of a rushed release (have to catch those
solstice shoppers), considering that the lead programmer for
q2 calls himself a "network programmer".
exploit code available on request. (yawn, people will make me
clean up my fugly source...)