From bugzilla-daemon at icculus.org  Tue Sep 30 15:40:53 2014
From: bugzilla-daemon at icculus.org (bugzilla-daemon at icculus.org)
Date: Tue, 30 Sep 2014 19:40:53 +0000
Subject: [quake3-bugzilla] [Bug 6324] New: A specially crafted client can
 change/send sv_serverid back to the server causing a new gamestate.
Message-ID: <bug-6324-2348@http.bugzilla.icculus.org/>

https://bugzilla.icculus.org/show_bug.cgi?id=6324

            Bug ID: 6324
           Summary: A specially crafted client can change/send sv_serverid
                    back to the server causing a new gamestate.
           Product: ioquake3
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P3
         Component: Misc
          Assignee: zachary at ioquake.org
          Reporter: ensiform at gmail.com
        QA Contact: quake3-bugzilla at icculus.org

If a malicious client changes the value of the recieved sv_serverid to be sent
back during CL_WritePacket->SV_UserMove, they will be sent a new gamestate and
reload the map without dying or causing clientdisconnect/begin.  No flags
dropped etc either.

This is similar to the behavior of the `donedl` exploit.

I have no idea how to actually prevent spoofed values (when received back on
the server) while retaining ability to allow the different serverid support for
download code and map_restart.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/quake3-bugzilla/attachments/20140930/e6b5ef05/attachment.html>

From bugzilla-daemon at icculus.org  Tue Sep 30 15:53:34 2014
From: bugzilla-daemon at icculus.org (bugzilla-daemon at icculus.org)
Date: Tue, 30 Sep 2014 19:53:34 +0000
Subject: [quake3-bugzilla] [Bug 6324] A specially crafted client can
 change/send sv_serverid back to the server causing a new gamestate.
In-Reply-To: <bug-6324-2348@http.bugzilla.icculus.org/>
References: <bug-6324-2348@http.bugzilla.icculus.org/>
Message-ID: <bug-6324-2348-VzrJVFQZSB@http.bugzilla.icculus.org/>

https://bugzilla.icculus.org/show_bug.cgi?id=6324

--- Comment #1 from ensiform at gmail.com ---
Correction, it looks like the server receives the changed value back in
SV_ExecuteClientMessage not SV_UserMove.

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/quake3-bugzilla/attachments/20140930/26fc8b09/attachment.html>