Administrator
114 posts
Registered:
Sep 2013
Hi Guys, anyone heard about new RCE (remote code execution) and rcon admin hijacking vulnerabilities in latest KTX sources? I've heard about it from security researcher but can't find any commits on GIT repositories to address these issues (https://github.com/jite/ktx, https://github.com/deurk/ktx). Or maybe I'm looking at the wrong ones?
Member
172 posts
Registered:
Sep 2013
Administrator
114 posts
Registered:
Sep 2013
Member
280 posts
Registered:
Jan 2015
For anyone interested, I cloned d2's mvdsv repository and jite's ktx repository with the latest security fixes and compiled to 32 and 64 linux systems.
Here are the links for you to update your servers.
http://upload.foppa.dk/files/qwprogs.sohttp://upload.foppa.dk/files/qwprogs64.soStop the servers, rename the 64 files to qwprogs.so or mvdsv (if needed) and restart the servers.
Cheers.
EDIT: MVDSV was buggy, i removed it.
News Writer
280 posts
Registered:
May 2006
Administrator
114 posts
Registered:
Sep 2013
With custom-made qw client you can connect to vulnerable server and read its files (rcon passwords included).
Member
344 posts
Registered:
Nov 2006
I completely lost track of which repositories are updated with which patches. Can someone please take over ownership of the KTX and MVDSV code and maintain it? We are getting too fragmented..
News Writer
280 posts
Registered:
May 2006
With custom-made qw client you can connect to vulnerable server and read its files (rcon passwords included).
Do you say about this patch?
https://github.com/akat1/mvdsv/commit/27a5900acb2411158b54d0e312149919922b766e
Can't understand how to use not patched mvdsv for «read its files».
(Edited 2016-01-05, 18:29)
Administrator
1265 posts
Registered:
Jan 2006
I completely lost track of which repositories are updated with which patches. Can someone please take over ownership of the KTX and MVDSV code and maintain it? We are getting too fragmented..
x2
never argue with an idiot. they'll bring you back to their level and then beat you with experience.
Administrator
1025 posts
Registered:
Apr 2006
I completely lost track of which repositories are updated with which patches. Can someone please take over ownership of the KTX and MVDSV code and maintain it? We are getting too fragmented..
A while back qw-dev was down so I made mirrors on my github (jite) account for them.
Later on deurk re-arrived out of the blue and moved the official repos from qw-dev to his github account.
If he's active or not now I don't know but the original official sources are on his account. Although MVDSV/KTX combo is broken if downloading from his account due to PR1/PR2 "bugfix".
Administrator
1265 posts
Registered:
Jan 2006
Later on deurk re-arrived out of the blue and moved the official repos from qw-dev to his github account.
If he's active or not now I don't know (...).
Ive tried to reach him last month without success.
never argue with an idiot. they'll bring you back to their level and then beat you with experience.
Administrator
1025 posts
Registered:
Apr 2006
Later on deurk re-arrived out of the blue and moved the official repos from qw-dev to his github account.
If he's active or not now I don't know (...).
Ive tried to reach him last month without success.
So everything is back to usual