Lastest in the series of "Quake security holes". I hope this is (publicly)
new info at least.
First let me note ID appear to be aware of the hole, as it appears to be
fixed in server 1.07+. 1.06 appears vulnerable.
You can do better than DoS with this one; you can compromise the account
the server is running under. In the case of NT servers, this probably
means complete compromise.
Basically, it appears that the message string given in a "tell" command is
stuffed into a buffer on the stack with no bounds checking. Tests seem to
show this buffer at 64 bytes (to the nearest power of two).
ie, log onto your favourite quake server, at the console type
tell noone sdfhkajsdhfkjasdhfkjsahdfkjfkjasdhf <- fill up the line with
some crap
*CRASH*. Better upgrade... if I'm bored one day I'll write an exploit.
NOTE. The average NT server appears to be running vulnerable versions. On
Linux v1.07 is _much_ more common.
I've got some more quakeI holes coming up soon...
Chris