|
Title: Watch out for hackers! Post by: Defender on January 18, 2009, 02:09:28 AM Hi,
there seems to be a severe bug in the ioquake3 voting system. This first happens in urbanterror http://forums.urbanterror.net/index.php/topic,14034.0.html (http://forums.urbanterror.net/index.php/topic,14034.0.html). Server admins are forced to turn off g_allowvote. OpenArena may be also affected by this. Greetings Defender Title: Re: Watch out for hackers! Post by: yasha on January 18, 2009, 03:52:15 AM Its not bug, just that people can kick anybody if they want. I am admin in urbanterror, and there i just use !veto to stop vote i don't like. This won't work if there are more normal players than "hackers".
Title: Re: Watch out for hackers! Post by: Udi on January 18, 2009, 03:59:40 AM Its not bug, just that people can kick anybody if they want. Nope, according to Urban Terror forum: Quote Seems there is an exploit being used that gives an unknown individual ... access to your server where he or she can use your rcon commands. So the hacker can use all kind of rcon commands, not just kicking anybody.Title: Re: Watch out for hackers! Post by: PaniC on January 18, 2009, 05:32:33 AM Hi, there seems to be a severe bug in the ioquake3 voting system. This first happens in urbanterror http://forums.urbanterror.net/index.php/topic,14034.0.html (http://forums.urbanterror.net/index.php/topic,14034.0.html). Server admins are forced to turn off g_allowvote. OpenArena may be also affected by this. Greetings Defender Or just remove "kick" from g_voteNames "/map_restart/nextmap/map/g_gametype/kick/clientkick/" Like: g_voteNames "/map_restart/nextmap/map/g_gametype/clientkick/" :) Title: Re: Watch out for hackers! Post by: sago007 on January 18, 2009, 07:41:42 AM It is all vote commands that are affected.
There has just been committed a workaround to ioquake3's svn. Title: Re: Watch out for hackers! Post by: Defender on January 18, 2009, 07:42:26 AM Or just remove "kick" from g_voteNames "/map_restart/nextmap/map/g_gametype/kick/clientkick/" Like: g_voteNames "/map_restart/nextmap/map/g_gametype/clientkick/" :) I don't think you want the offender use all the other rcon commands available. So as in urbanterror forum suggested, turn off g_allowvote. Title: Re: Watch out for hackers! Post by: vindimy on January 26, 2009, 03:51:10 PM i have yet to see someone exploiting this bug in openarena. i mean, i haven't heard of any cases! anyone else has?
Title: Re: Watch out for hackers! Post by: Neon_Knight on January 26, 2009, 04:00:21 PM Don't worry by now, it's fixed and it'll be (I guess) at 0.8.2:
Beta 31 is up. Changelog: Quote * Vote system now a lot more robust. Especially the kick functions are now more likely to kick the correct player * Vote menu for calling votes - does not yet support Kick and Map functions. * Clamp on cg_errorDecay as suggested by jessicaRA * New ui_demo2.c by jessicaRA * From ioquake3 svn-1492: fix overflow in CG_ParseTeamInfo * From ioquake3 svn-1494: fix potential segfault (found by DerSaidin in xreal) * From ioquake3 svn-1493: security fix: prevent command injection via callvote * Mouse wheel works in mods menu Title: Re: Watch out for hackers! Post by: vindimy on January 26, 2009, 04:06:03 PM that's my worry... until 0.8.2 is released, there's no way to prevent the hacking other than disabling the voting system... :/
Title: Re: Watch out for hackers! Post by: sago007 on January 26, 2009, 04:32:22 PM I don't think that Open Arena or ioquake3 has ever been vulnerable. It is just that the code tries to trick mod makers into making it insecure. The bug reported mentions that it requires.
ioquake released a security fix, partly in the game logic to make programming error a lot less likely and an engine patch that prevented insecure mods from being exploited. Have anyone tried calling a vote like: callvote kick UnnamedPlayer\"\nrconPassword\ \"hello ? The new binaries in the binary test thread protects insecure mods from being exploited (a necessary workaround even after the gamelogic has been fixed since closed source mods can never be updated) and they work on 0.8.1. |