Quake 2 unexpanded variable information disclosure

quake2-unexpanded-var-disclosure (9095) The risk level is classified as LowLow Risk


iid Software's Quake could reveal sensitive information. A malicious Quake client could send unexpanded variables to the server, which would be expanded in the local context, potentially revealing sensitive information to the attacker.


Obtain Information


Refer to the BugTraq Mailing List posting dated May 14 2002 2:48AM for information on obtaining unofficial patches. See References.


  • BugTraq Mailing List, Mon May 13 2002 - 21:48:05 CDT: Remote quake 2 3.2x server cvar leak.
  • BID-4744: id Software Quake II Server Remote Information Disclosure Vulnerability
  • CVE-2002-0770: Quake 2 (Q2) server 3.20 and 3.21 allows remote attackers to obtain sensitive server cvar variables, obtain directory listings, and execute Q2 server admin commands via a client that does not expand $ macros, which causes the server to expand the macros and leak the information, as demonstrated using say $rcon_password.
  • OSVDB ID: 11187: Quake 2 Server Remote Client State Modification
  • OSVDB ID: 9850: Quake 2 Server $ Macro Arbitrary Command Execution
  • US-CERT VU#970915: Quake II Server performs console variable expansion on client-supplied input values

Platforms Affected:

  • id Software Quake 2 Server 3.20
  • id Software Quake 2 Server 3.21


May 14, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page