|
|
|
Administrator 2059 posts
Registered: Jan 2006
As mentioned in the comments to this blog there is some kind of vulnerability in the commonly used KTX version. I (or Mushi rather ) thought this is news worthy but then where can the server gurus find the correct KTX version to use? And i assume nQuake also should be updated? www.facebook.com/QuakeWorld
Administrator 1265 posts
Registered: Jan 2006
yeah, to fix this server admins need to update to the newer ktx. They should clone this git repository: https://github.com/jite/ktx/ compile it, and restart the servers never argue with an idiot. they'll bring you back to their level and then beat you with experience.
Administrator 114 posts
Registered: Sep 2013
Any details about vuln? PoC maybe?
From upadted sources @ github - it seems to be possible to pass VIP flags with precompiled quake client that will be recognized by server. Am I right?
Member 375 posts
Registered: Sep 2009
it seems to be possible to pass VIP flags with precompiled quake client that will be recognized by server. Am I right? Don't know much of the programming... but that's probably right! I've done here (to test/proof), compiling ezQuake with a little, very little, change! then, inside the compiled ezQuake, all you have to do is set a variable, then connect to a server: BOOM, all your commands are local commands, like if you were at the server shell... (It's also a very danger security issue to the server machine, becouse depending on the server configs, you have access to the ENTIRE MACHINE FOLDER/FILES) Like: on Windows: Format c:\on Linux: rm -Rf /hehehehehe (ok, it's not that simple, but it's TRUE) (QW Nickname: AL.Kernell)
Administrator 1025 posts
Registered: Apr 2006
it seems to be possible to pass VIP flags with precompiled quake client that will be recognized by server. Am I right? Don't know much of the programming... but that's probably right! I've done here (to test/proof), compiling ezQuake with a little, very little, change! then, inside the compiled ezQuake, all you have to do is set a variable, then connect to a server: BOOM, all your commands are local commands, like if you were at the server shell... (It's also a very danger security issue to the server machine, becouse depending on the server configs, you have access to the ENTIRE MACHINE FOLDER/FILES) Like: on Windows: Format c:\on Linux: rm -Rf /hehehehehe (ok, it's not that simple, but it's TRUE) First part is correct, second part not necessarily. When you have the server console you can do stuff to allow yourself to upload files, from there one can insert scripts and make them execute on the remote machine. However they will only run as the same user as the qw server runs as. However if this is your normal account/super user account, I'd be a bit scared and fix this ASAP. Security by obscurity, doesn't work.
Member 55 posts
Registered: Oct 2011
I added the fix at the very moment to all of my servers.
That's rather scary, but now, "we"'re safe... BaseQ.fr Administrator o/
Administrator 114 posts
Registered: Sep 2013
For those of you wondering how to 'patch' it here is simple howto: 1. git clone https://github.com/jite/ktx 2. cd ktx 3. optional step: change version in ktx/include/g_local.h under MOD_VERSION (line 41) to something meaningful like 1.37-dev_patch1 4. ./configure 5. make dl 6. ls -altr (look for qwprogs.so)
copy new qwprogs.so to your ktx/ directory and restart server. If it fails to load progs.dat you also have to recompile mvdsv: 1. git clone https://github.com/jite/mvdsv 2. cd mvdsv/build/make/ 3. ./configure 4. make 5. chmod 755 mvdsv
and then copy mvdsv to your ${quake_home}
Administrator 1265 posts
Registered: Jan 2006
never argue with an idiot. they'll bring you back to their level and then beat you with experience.
News Writer 912 posts
Registered: Jan 2006
I just did this on nl.besmella.com servers... looks to have worked... should the size be so much bigger than the previous one? more than double the size? -rwxr-xr-x 1 root root 2841977 Jun 4 23:22 qwprogs.so* -rw-r--r-- 1 root root 1062336 Oct 10 2013 qwprogs.so.old
Member 344 posts
Registered: Nov 2006
It probably has debugging symbols included still. Try "strip qwprogs.so".
News Writer 912 posts
Registered: Jan 2006
It probably has debugging symbols included still. Try "strip qwprogs.so". Is there any affect on the performance or memory usage if i don't do this?
Member 344 posts
Registered: Nov 2006
News Writer 912 posts
Registered: Jan 2006
Perfect, thanks!
|
|
|
|