overwriting the cvars of a server??!

malo · **Joined:** 09 Oct 2007 17:49 **Posts:** 19

In fact, I don't understand the bug B which is described here...

http://aluigi.altervista.org/adv/q3cfilevar-adv.txt

For that, I need to change this c-files, but i couldn't find them... wether in the *.pk3s of quake3 or in the ones of Jedi Academy... so I thougt they're in the .dlls but anyway I'm not sure about that... I heard about programs called disassembler but they didn't helped me too...

So, could you tell me which programs you used to change this files, and where you find that files, too? I just need a better description for using that bug... would be kind of you.

plz help x)

malo

aluigi · **Posted:** 09 Oct 2007 19:11

The two bugs described in that advisory are client side, which means that a server (attacker) can overwrites the cvars and the files of the clients (victims).
The proof-of-concept showed there must be applied to the game source code (not the sdk) so only Quake 3 can actually tested with that specific PoC because it's open source.

malo · **Joined:** 09 Oct 2007 17:49 **Posts:** 19

omg.

now i understand u.u

thx for your fast reply

Luigi Auriemma

overwriting the cvars of a server??!