ur uh q3dirtrav (adv) thingy link thing... links here:
http://www.securityfocus.com/archive/1/ ... 0/threaded (obviously...)
ok so my question is what is the bug on the top?
Quote:
========================================
Issue #1:
Remotely exploitable COM_StripExtension buffer overflow in client allows
execution of arbitrary code.
========================================
This bug is also known as the "remapShader" bug discovered by landser who
recently published a PoC opening a remote shell on vulnerable Linux clients at
milw0rm.com [2]
* details
The COM_StripExtension routine copies a given filename chopping the suffix
into another given buffer without checking the length of that buffer.
R_FindShaderByName(), called by R_RemapShader() uses a static buffer of 64
bytes length for the copy.
Servers can make the client execute R_RemapShader() by sending a "remapShader"
command with too long arguments that will result in an overflowed buffer.
* affected OS
All operating systems suffer from the bug.
* affected games
Games using the quake3 engine that accept the remapShader command in the cgame
code and use an otherwise unmodified COM_StripExtension().
Vulnerable are:
- Quake3 Arena / Team Arena point release 1.32b
- Return to Castle Wolfenstein 1.41
- Wolfenstein: Enemy Territory 2.60
With a high probability vulnerable:
- Star Wars: Jedi Knight 2 / 3
Not vulnerable:
- Star Trek Voyager: Elite Force
This list can *not* be considered complete. These are the only games where I
have done some checking or where I know they have this bug.
Probably not vulnerable are games that are based off an older version of the
Quake3 engine where the remapShader command didn't exist in the original
cgame code (like EliteForce).
* workaround *
There is no known workaround except playing on trusted servers.
* patches *
ID has released fixed binaries, but more on that later.
what bug is that one?
