Pages: [1]
  Print  
Author Topic: Watch out for hackers!  (Read 8702 times)
Defender
Ok i've posted twice!


Cakes 0
Posts: 2


« on: January 18, 2009, 02:09:28 AM »

Hi,
there seems to be a severe bug in the ioquake3 voting system. This first happens in urbanterror http://forums.urbanterror.net/index.php/topic,14034.0.html. Server admins are forced to turn off g_allowvote.
OpenArena may be also affected by this.

Greetings
Defender
Logged
yasha
Half-Nub


Cakes -2
Posts: 68


Did thunder hit my head?


« Reply #1 on: January 18, 2009, 03:52:15 AM »

Its not bug, just that people can kick anybody if they want. I am admin in urbanterror, and there i just use !veto to stop vote i don't like. This won't work if there are more normal players than "hackers".
Logged

... Am I in desert? ...
Udi
Member


Cakes 25
Posts: 536


i do my own stunts


WWW
« Reply #2 on: January 18, 2009, 03:59:40 AM »

Its not bug, just that people can kick anybody if they want.

Nope, according to Urban Terror forum:
Quote
Seems there is an exploit being used that gives an unknown individual ... access to your server where he or she can use your rcon commands.
So the hacker can use all kind of rcon commands, not just kicking anybody.
Logged

http://udionline.hu/en/projektek/openarena/
Todo list: 1. q3dm17 textures replacement (95% done)
PaniC
Nub


Cakes 2
Posts: 27


WWW
« Reply #3 on: January 18, 2009, 05:32:33 AM »

Hi,
there seems to be a severe bug in the ioquake3 voting system. This first happens in urbanterror http://forums.urbanterror.net/index.php/topic,14034.0.html. Server admins are forced to turn off g_allowvote.
OpenArena may be also affected by this.

Greetings
Defender

Or just remove "kick" from g_voteNames "/map_restart/nextmap/map/g_gametype/kick/clientkick/"

Like: g_voteNames "/map_restart/nextmap/map/g_gametype/clientkick/"

Smiley
Logged

sago007
Posts a lot
*

Cakes 62
Posts: 1664


Open Arena Developer


WWW
« Reply #4 on: January 18, 2009, 07:41:42 AM »

It is all vote commands that are affected.

There has just been committed a workaround to ioquake3's svn.
Logged

There are nothing offending in my posts.
Defender
Ok i've posted twice!


Cakes 0
Posts: 2


« Reply #5 on: January 18, 2009, 07:42:26 AM »

Or just remove "kick" from g_voteNames "/map_restart/nextmap/map/g_gametype/kick/clientkick/"

Like: g_voteNames "/map_restart/nextmap/map/g_gametype/clientkick/"

Smiley

I don't think you want the offender use all the other rcon commands available. So as in urbanterror forum suggested, turn off g_allowvote.
Logged
vindimy
Bigger member


Cakes 15
Posts: 161


lolwut?


WWW
« Reply #6 on: January 26, 2009, 03:51:10 PM »

i have yet to see someone exploiting this bug in openarena. i mean, i haven't heard of any cases! anyone else has?
Logged

Neon_Knight
In the year 3000
***

Cakes 49
Posts: 3775


Trickster God.


« Reply #7 on: January 26, 2009, 04:00:21 PM »

Don't worry by now, it's fixed and it'll be (I guess) at 0.8.2:

Beta 31 is up.
Changelog:
Quote
* Vote system now a lot more robust. Especially the kick functions are now more likely to kick the correct player
* Vote menu for calling votes - does not yet support Kick and Map functions.
* Clamp on cg_errorDecay as suggested by jessicaRA
* New ui_demo2.c by jessicaRA
* From ioquake3 svn-1492: fix overflow in CG_ParseTeamInfo
* From ioquake3 svn-1494: fix potential segfault (found by DerSaidin in xreal)
* From ioquake3 svn-1493: security fix: prevent command injection via callvote
* Mouse wheel works in mods menu
Logged


"Detailed" is nice, but if it gets in the way of clarity, it ceases being a nice addition and becomes a problem. - TVT
Want to contribute? Read this.
vindimy
Bigger member


Cakes 15
Posts: 161


lolwut?


WWW
« Reply #8 on: January 26, 2009, 04:06:03 PM »

that's my worry... until 0.8.2 is released, there's no way to prevent the hacking other than disabling the voting system... :/
Logged

sago007
Posts a lot
*

Cakes 62
Posts: 1664


Open Arena Developer


WWW
« Reply #9 on: January 26, 2009, 04:32:22 PM »

I don't think that Open Arena or ioquake3 has ever been vulnerable. It is just that the code tries to trick mod makers into making it insecure. The bug reported mentions that it requires.

ioquake released a security fix, partly in the game logic to make programming error a lot less likely and an engine patch that prevented insecure mods from being exploited.
Have anyone tried calling a vote like:
callvote kick UnnamedPlayer\"\nrconPassword\ \"hello
?

The new binaries in the binary test thread protects insecure mods from being exploited (a necessary workaround even after the gamelogic has been fixed since closed source mods can never be updated) and they work on 0.8.1.
Logged

There are nothing offending in my posts.
Pages: [1]
  Print  
 
Jump to: