CVE-2004-2598

Vulnerability

CVE-2004-2598 affects Quake II server versions before R1Q2. The bug resides in the server's client state data structure handling. When a remote attacker exits a session without sending a valid disconnect command and then reconnects, the server fails to notify any running mod of the changes in the client state. This can lead to inconsistencies in the mod's view of the client. The issue is present in the original Quake II server code as distributed by id Software (version 3.21) and is fixed in the R1Q2 enhanced server, which incorporates numerous security and stability patches [1]. The exact versions affected are all Quake II server binaries that do not include the R1Q2 patch; the R1Q2 server has been in production since mid-2002 [1].

Exploitation

To exploit this vulnerability, an attacker needs network access to the Quake II server. The attacker must first establish a valid client session (e.g., connect to the server and join a game). Then, instead of disconnecting cleanly (by sending a proper disconnect command), the attacker abruptly terminates the connection or leaves the session abnormally. After a brief period, the attacker reconnects to the same server. During this sequence, the server does not update the mod's internal client state structure properly, allowing the attacker to cause state corruption. No special authentication or elevated privileges are required beyond the ability to connect as a normal client [1].

Impact

Successful exploitation corrupts the server's client state data structure, which can lead to unpredictable behavior in the mod being used. The exact impact depends on the specific mod, but potential outcomes include denial of service (crashing the server or mod), manipulation of game mechanics, or other undefined behavior. The vulnerability does not directly provide code execution or privilege escalation, but it can disrupt server operation and affect all clients [1].

Mitigation

The vulnerability is fixed by upgrading to R1Q2 server version, which includes all publicly known security fixes for Quake II as of 2004 [1]. The R1Q2 dedicated server binary (dedicated.exe or r1q2ded) is highly recommended and has been stable since mid-2002 [1]. No workaround is available for servers that continue to use the original Quake II server code. The R1Q2 project is no longer actively maintained, but the fixed server remains available via archived downloads. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. If upgrading is not possible, server administrators should consider shutting down or restricting access to the Quake II server to mitigate risk.