CVE-2006-3325

id3 Quake 3 Engine <1.32c - RCE

Title source: llm

Description

client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files.

Exploits (2)

exploitdb WORKING POC

cppdoswindows_x86

https://www.exploit-db.com/exploits/1977

View Code ZIP pw:eip

exploitdb WORKING POC

cppdoswindows

https://www.exploit-db.com/exploits/1976

View Code ZIP pw:eip

References (10)

[Exploit] http://aluigi.altervista.org/adv/q3cfilevar-adv.txt

[Vendor Advisory] http://secunia.com/advisories/20401

[Vendor Advisory] http://secunia.com/advisories/20851

[Exploit] http://www.securityfocus.com/bid/18685

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/26889

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/27486

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/438515/100/0/threaded

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/438660/100/0/threaded

[Third Party Advisory] http://www.vupen.com/english/advisories/2006/2569

[Third Party Advisory] http://securityreason.com/securityalert/1171

Scores

EPSS 0.0393

EPSS Percentile 88.3%

Details

Status published

Products (11)

id_software/quake_3_engine

id_software/quake_3_engine 1.32b

id_software/quake_3_engine 1.32c

id_software/quake_3_engine icculus_803

id_software/quake_3_engine icculus_804

id_software/quake_3_engine icculus_805

id_software/quake_3_engine icculus_806

id_software/quake_3_engine icculus_807

id_software/quake_3_engine icculus_808

id_software/quake_3_engine icculus_809

... and 1 more

Published Jun 30, 2006

Tracked Since Feb 18, 2026