CVE-2006-3325

id3 Quake 3 Engine 1.32c and Icculus Quake 3 Engine <= 810 - Arbitrary Cvar Overwrite via Server-Sent String

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-3325.

AI-analyzed exploit summary This is a functional exploit for a remote stack overflow in the Quake 3 Engine, targeting the CS_ITEMS vulnerability. It uses Microsoft Detours to hook the SV_SetConfigstring function and injects a crafted payload to overflow the buffer, leading to remote code execution.

Description

client/cl_parse.c in the id3 Quake 3 Engine 1.32c and the Icculus Quake 3 Engine (ioquake3) revision 810 and earlier allows remote malicious servers to overwrite arbitrary write-protected cvars variables on the client, such as cl_allowdownload for Automatic Downloading and fs_homepath for the quake3 path, via a string of cvar names and values sent from the server. NOTE: this can be combined with another vulnerability to overwrite arbitrary files.

Exploits (2)

exploitdb WORKING POC
cppdoswindows_x86
https://www.exploit-db.com/exploits/1977

This is a functional exploit for a remote stack overflow in the Quake 3 Engine, targeting the CS_ITEMS vulnerability. It uses Microsoft Detours to hook the SV_SetConfigstring function and injects a crafted payload to overflow the buffer, leading to remote code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Quake 3 Arena 1.32b, 1.32c
No auth needed
Prerequisites: Microsoft Detours library · Injection into the server executable · Target running vulnerable Quake 3 Arena version
devstral-2 · analyzed Feb 19, 2026 Full analysis →
exploitdb WORKING POC
cppdoswindows
https://www.exploit-db.com/exploits/1976

This is a functional exploit for a remote stack overflow in the Quake 3 Engine's CG_ServerCommand function, targeting Soldier of Fortune II (SOF2) 1.03. It uses DLL injection and Microsoft Detours to hook the SV_SendServerCommand function, triggering a buffer overflow with a crafted payload.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Soldier of Fortune II (SOF2) 1.03
No auth needed
Prerequisites: Microsoft Detours library · DLL injection capability · Target running SOF2 1.03
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (10)

Core 10
Core References
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/18685
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27486
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/26889
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/438660/100/0/threaded
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/438515/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20851
Third Party Advisory third-party-advisory x_refsource_sreason
http://securityreason.com/securityalert/1171
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/20401
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2569

Scores

EPSS 0.0467
EPSS Percentile 90.6%

Details

Status published
Products (11)
id_software/quake_3_engine
id_software/quake_3_engine 1.32b
id_software/quake_3_engine 1.32c
id_software/quake_3_engine icculus_803
id_software/quake_3_engine icculus_804
id_software/quake_3_engine icculus_805
id_software/quake_3_engine icculus_806
id_software/quake_3_engine icculus_807
id_software/quake_3_engine icculus_808
id_software/quake_3_engine icculus_809
... and 1 more
Published Jun 30, 2006
Tracked Since Feb 18, 2026