CVE-1999-1229 in Quake 2 Server
Summary
by MITRE
Quake 2 server 3.13 on Linux does not properly check file permissions for the config.cfg configuration file, which allows local users to read arbitrary files via a symlink from config.cfg to the target file.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2026
The vulnerability described in CVE-1999-1229 represents a critical security flaw in the Quake 2 server version 3.13 running on linux systems. This issue stems from inadequate file permission validation during the configuration file processing phase, creating a path traversal condition that can be exploited by local attackers. The vulnerability specifically targets the config.cfg file handling mechanism where the server fails to properly verify file permissions before accessing the configuration file, allowing malicious users to manipulate the system's file access behavior through symbolic link manipulation.
The technical exploitation of this vulnerability occurs through a carefully crafted symbolic link attack where an attacker creates a symbolic link named config.cfg that points to a sensitive target file such as /etc/shadow or other privileged configuration files. When the Quake 2 server process attempts to read the config.cfg file, it follows the symbolic link and inadvertently accesses the target file with the privileges of the server process. This flaw falls under the category of improper file permission checking and can be classified as CWE-276, which deals with incorrect permissions for critical resources. The vulnerability demonstrates a classic example of insecure file handling practices where the system assumes the configuration file will always be a legitimate file rather than a symbolic link that can redirect access to arbitrary locations.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides local attackers with the ability to access sensitive system files that may contain authentication credentials, system configuration data, or other confidential information. The attack vector is particularly concerning because it requires only local system access and can be executed without elevated privileges, making it a significant concern for multi-user systems where local users might have access to the game server installation directory. This vulnerability aligns with ATT&CK technique T1005 by enabling data collection through unauthorized file access, and T1078 by potentially allowing privilege escalation through access to sensitive system files.
Mitigation strategies for this vulnerability should focus on implementing proper file permission validation and symbolic link detection during configuration file processing. System administrators should ensure that the Quake 2 server runs with minimal required privileges and that the configuration directory is properly secured with appropriate file permissions. The most effective remediation involves modifying the server code to explicitly check for symbolic links and validate file permissions before processing configuration files, as well as implementing proper file access controls that prevent the server from following symbolic links to sensitive system locations. Additionally, regular security audits should be conducted to identify and address similar file handling vulnerabilities in other applications, particularly those that process user-supplied configuration files or operate with elevated privileges.