Bugtraq mailing list archives
Re: QW server hole
From: chris () FERRET LMH OX AC UK (Chris Evans)
Date: Wed, 8 Apr 1998 06:30:26 +0100
Hi, I've looked into the recently reported QuakeWorld server hole for "exploitability" other than DoS. It seems the smashed buffer is a static one rather than one on the stack; when we use a very large string full of 'A' to fill the buffer with, we don't get a crash due to execution at address 0x41414141. Indeed instead we find we have trashed some structures with pointers in. The eventual crash is due to a defererence of 0x10+(0x41414141), in the function "Z_CheckHeap()". The actual structure corrupted is called "mainzone", and the actual buffer smashed is called "com_token" and appears to be exactly 1024 bytes long. If, as you say, an ID Software employee has ignored your reports of this bug, then that is _very_ poor. Cheers Chris
Current thread:
- Re: QW server hole Chris Evans (Apr 07)
- smtp overflows Jon Beaton (Apr 08)
- Re: QW server hole Mike Hardy (Apr 08)
- Official SummerCon Announcement X (Apr 08)
- Sun Security Bulletin #00167 Aleph One (Apr 08)
- CA-98.05 Multiple Vulnerabilities in BIND Aleph One (Apr 08)
- BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
- Re: BIND 4.9.7 named follows symlinks, clobbers anything. Mark.Andrews () CMIS CSIRO AU (Apr 11)
- Re: BIND 4.9.7 named follows symlinks, clobbers anything. Paul A Vixie (Apr 11)
- BIND 4.9.7 named follows symlinks, clobbers anything. Joe (Apr 10)
- BIND 8.1.2-T3B and BIND 4.9.7-T1B (fwd) Jared Mauch (Apr 08)
- Temporary fix for remote exploit in qwsv kevingeo () CRUZIO COM (Apr 09)