Re: Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files

William T Wilson (fluffy@DUNADAN.COM)
Wed, 25 Feb 1998 14:52:15 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dave: "Q2-wrapper make Quake2 behave"
Previous message: Steven Goldberg - SE - Seattle WA: "Re: /usr/dt/bin/dtappgather exploit"
Maybe in reply to: kevingeo@CRUZIO.COM: "Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files"

On Wed, 25 Feb 1998 kevingeo@CRUZIO.COM wrote:

> Vulnerable:
> Everyone who followed the installation instructions and made Quake2 setuid
> root.

To the best of my knowledge, Quake2 suffers from the same bug that squake
suffers from. You can use the -gamedir option (or its quake 2 equivalent)
to make squake cough up a root shell using a standard buffer overflow
exploit. I don't believe Zoid altered this for quake 2. I don't think he
cares about security at all.

I wouldn't install anything of Zoid's setuid root without making it
group-owned by a trusted group and mode 4750.

This new exploit of yours even allows you to do evil things with Zoidware
even if it is installed with a wrapper. :\ (Unless you want to make your
wrapper check all the file permissions too)

Next message: Dave: "Q2-wrapper make Quake2 behave"
Previous message: Steven Goldberg - SE - Seattle WA: "Re: /usr/dt/bin/dtappgather exploit"
Maybe in reply to: kevingeo@CRUZIO.COM: "Quake 2 Linux 3.13 (and lower) allow users to read arbitrary files"