User panel stuff on forum
  12 posts on 1 page  1
Server Talk
2015-06-30, 21:48
Administrator
114 posts

Registered:
Sep 2013
Hi Guys, anyone heard about new RCE (remote code execution) and rcon admin hijacking vulnerabilities in latest KTX sources? I've heard about it from security researcher but can't find any commits on GIT repositories to address these issues (https://github.com/jite/ktx, https://github.com/deurk/ktx). Or maybe I'm looking at the wrong ones?
play.quake1.pl
2015-07-01, 05:16
2015-07-01, 13:20
Administrator
114 posts

Registered:
Sep 2013
I've seen these Bogo. Initially I thought the talk was about already fixed vulnerabilities, but since conference where I heard about that again was held in June this year, I'm thinking there are a new one discovered.

Don't have any details though. Waiting for whitepaper.

EDIT: patch your servers with this: https://github.com/akat1/mvdsv/commit/27a5900acb2411158b54d0e312149919922b766e
play.quake1.pl
2015-09-10, 00:15
Member
280 posts

Registered:
Jan 2015
For anyone interested, I cloned d2's mvdsv repository and jite's ktx repository with the latest security fixes and compiled to 32 and 64 linux systems.

Here are the links for you to update your servers.

http://upload.foppa.dk/files/qwprogs.so
http://upload.foppa.dk/files/qwprogs64.so

Stop the servers, rename the 64 files to qwprogs.so or mvdsv (if needed) and restart the servers.

Cheers.


EDIT: MVDSV was buggy, i removed it.
dev
2015-09-11, 12:19
News Writer
280 posts

Registered:
May 2006
d2 wrote:
I've seen these Bogo. Initially I thought the talk was about already fixed vulnerabilities, but since conference where I heard about that again was held in June this year, I'm thinking there are a new one discovered.

Don't have any details though. Waiting for whitepaper.

EDIT: patch your servers with this: https://github.com/akat1/mvdsv/commit/27a5900acb2411158b54d0e312149919922b766e

How do it work?
2015-09-12, 21:04
Administrator
114 posts

Registered:
Sep 2013
VVD wrote:
d2 wrote:
I've seen these Bogo. Initially I thought the talk was about already fixed vulnerabilities, but since conference where I heard about that again was held in June this year, I'm thinking there are a new one discovered.

Don't have any details though. Waiting for whitepaper.

EDIT: patch your servers with this: https://github.com/akat1/mvdsv/commit/27a5900acb2411158b54d0e312149919922b766e

How do it work?


With custom-made qw client you can connect to vulnerable server and read its files (rcon passwords included).
play.quake1.pl
2015-09-13, 11:20
Member
344 posts

Registered:
Nov 2006
I completely lost track of which repositories are updated with which patches. Can someone please take over ownership of the KTX and MVDSV code and maintain it? We are getting too fragmented..
2015-09-13, 15:37
News Writer
280 posts

Registered:
May 2006
d2 wrote:
VVD wrote:
d2 wrote:
I've seen these Bogo. Initially I thought the talk was about already fixed vulnerabilities, but since conference where I heard about that again was held in June this year, I'm thinking there are a new one discovered.

Don't have any details though. Waiting for whitepaper.

EDIT: patch your servers with this: https://github.com/akat1/mvdsv/commit/27a5900acb2411158b54d0e312149919922b766e

How do it work?


With custom-made qw client you can connect to vulnerable server and read its files (rcon passwords included).

Do you say about this patch?
https://github.com/akat1/mvdsv/commit/27a5900acb2411158b54d0e312149919922b766e
Can't understand how to use not patched mvdsv for «read its files».

(Edited 2016-01-05, 18:29)
2015-10-09, 09:41
Administrator
1265 posts

Registered:
Jan 2006
Tuna wrote:
I completely lost track of which repositories are updated with which patches. Can someone please take over ownership of the KTX and MVDSV code and maintain it? We are getting too fragmented..

x2
never argue with an idiot. they'll bring you back to their level and then beat you with experience.
2015-10-09, 10:16
Administrator
1025 posts

Registered:
Apr 2006
Tuna wrote:
I completely lost track of which repositories are updated with which patches. Can someone please take over ownership of the KTX and MVDSV code and maintain it? We are getting too fragmented..

A while back qw-dev was down so I made mirrors on my github (jite) account for them.

Later on deurk re-arrived out of the blue and moved the official repos from qw-dev to his github account.

If he's active or not now I don't know but the original official sources are on his account. Although MVDSV/KTX combo is broken if downloading from his account due to PR1/PR2 "bugfix".
2015-10-09, 12:58
Administrator
1265 posts

Registered:
Jan 2006
dimman wrote:


Later on deurk re-arrived out of the blue and moved the official repos from qw-dev to his github account.

If he's active or not now I don't know (...).


Ive tried to reach him last month without success.
never argue with an idiot. they'll bring you back to their level and then beat you with experience.
2015-10-09, 13:23
Administrator
1025 posts

Registered:
Apr 2006
mushi wrote:
dimman wrote:


Later on deurk re-arrived out of the blue and moved the official repos from qw-dev to his github account.

If he's active or not now I don't know (...).


Ive tried to reach him last month without success.

So everything is back to usual
  12 posts on 1 page  1