COMMAND

    Quake I server

SYSTEMS AFFECTED

    Systems running Quake server

PROBLEM

    Chris Evans found following.  You can do better than DoS with this
    one; you can compromise the  account the server is running  under.
    In  the  case  of  NT   servers,  this  probably  means   complete
    compromise.

    Basically, it appears  that the message  string given in  a "tell"
    command  is  stuffed  into  a  buffer  on the stack with no bounds
    checking.   Tests seem  to show  this buffer  at 64  bytes (to the
    nearest power of two). ie,  log onto your favourite quake  server,
    at the console type:

        tell noone sdfhkajsdhfkjasdhfkjsahdfkjfkjasdhf <- fill up the line with some crap

    *CRASH*. Better upgrade... NOTE. The average NT server appears  to
    be  running  vulnerable  versions.  On  Linux v1.07 is _much_ more
    common.

SOLUTION

    ID appear to be  aware of the hole,  as it appears to  be fixed in
    server 1.07+. 1.06 appears vulnerable.