Callvote Exploit -1 reply

Please wait...

Tanith

Lovely weather here

50 XP

27th September 2006

0 Uploads

820 Posts

0 Threads

#1 10 years ago

There is an exploit that has been revealed for games running on the Quake 3 engine that allows a player to call a vote and at the same time execute a server command which if it passes the server command would take effect. Example of server commands: Changing the rcon pass, Changing sv_allowdownload to 1 which would allow users to download the server.cfg.

One possible fix to this is to disable voting but I was wondering if anyone on here knows of fix for Linux hosted servers that would allow voting to remain enabled.




~*Seto*~

Trapped in the interchet

50 XP

19th October 2007

0 Uploads

334 Posts

0 Threads

#2 10 years ago

I haven't heard of any fix for linux yet. I do know that when the new JA+ mod version comes out, this bug will be fixed (since I reported it to Slider myself some time ago). Also, not every type of vote is affected so if you only disable the bad ones you can leave the others enabled. And finally, this bug is a bit difficult to use for most people because it requires a modified client to run, but if you apply a modification patch to your client then JKA's self-check system activates, which generates a cl_parsepacketentities error that prevents you from being in a MP server.

So in summary... don't worry about it, just turn off some votes, wait for JA+ 2.4beta4 linux, everything will be fine =p.




Tanith

Lovely weather here

50 XP

27th September 2006

0 Uploads

820 Posts

0 Threads

#3 10 years ago

Its good to hear that the bug will be fixed in the next JA+ release but what about Base servers where the callvote command is more commonly used.




~*Seto*~

Trapped in the interchet

50 XP

19th October 2007

0 Uploads

334 Posts

0 Threads

#4 10 years ago

Base is already vulnerable to many other much easier to use exploits... unless you are using something like Gamall's basejka fix? In that case, maybe another one will come along to fix this problem as well.




Tanith

Lovely weather here

50 XP

27th September 2006

0 Uploads

820 Posts

0 Threads

#5 10 years ago

Gamall's basejka fix does not work for this particular exploit. But thanks to the forum that came across the exploit 2 fixes have been released for it. I do not take credit for either fix.

Fix Linux: - MSGBOOM fixed (appears some french sentences and calls a vote for kicking "crasher" - Forcestring (calls vote for kick) - Callvotebug (say's "noob hacker", and nothing happens)

jampgamei3862.rar Download File on FileFront

(Replace your current jampgamei386.so with this one) Windows + Linux Fix: This is just an opportunity you can use to make senseless the callvote bug, without decompiling or making modded dlls. What you need is just your jampded.exe file, or linuxjampded + a hex editor.

Both server files with common changements are in the end of the post.

You open the editor (I use XVI32, it s free, the link is in the end of the post) then you have to find a text string with rconpassword variable name. Now you have to change the name to smth like yrhiuahfeerd.

IMPORTANT: new name must have the SAME length that the string "rconpassword" (12 chars) Then you save the file and your jampded or linuxjampded is now patched.

How it works: In cfg your server runs you have to replace 'rconpassword' by 'yrhiuahfeerd'. So now your admin password will be named 'yrhiuahfeerd' and not 'rconpassword'

When someone is trying to call a vote, ex callvote fraglimit "0; rconpassword 123" the fraglimit will be set to 0, and all players will see a saying

server: rconpassword 123

as far as there is no rconpassword named variable, the server will interprete it just as a saying. So by the vote initiator it s easy to devine, who is trying to hack the server :)

Surely, they still can get your admin password (change it via vote etc) BUT they have to know the name of the variable, defining admin password, which is really hard to do :)

Also, every attempt to devine the name will be shown to other players, as I said before.

also, the guys who know the true admin password can still manage admin commands like before, e.g.

/rconpassword /rcon status /rcon clientkick 0

But that is not all. If you downloaded and worked with a file in the attachment, I've already done the following things in it, so you just skip the final part, but if you edited your own jampded/linuxjampded you ll have to do an additional job

It is to remove /quit, /killserver, /sv_killserver, /sv_allowdownload commands. Just find them 1 by 1 and replace their names by spaces. Now the 'clever' guys who will try to download the cfg will fail, also they wont be able to kill server via voting.

PS when you replace your jampded/linuxjampded file on server do not forget to change chmod for it, so it will be allowed to be executed.

SO, to sum up: 1. Edit the linuxjampded/jampded (rconpassword must be replaced with your own string; quit, sv_killserver, killserver, sv_allowdownload should be removed - filled with spaces) 2. Edit your cfg so the 'rconpassword' will be replaced with your custom name you selected in the first point 3. Enjoy your playing

FILES

Jampded (for windows) with removed quit, sv_killserver and killserver commands, you have to rename only rconpassword variable http://punk666.pu.ohost.de/serverfix/jampDed.zip

linuxjampded (for linux) with removed quit, sv_killserver and killserver commands, you have to rename only rconpassword variable http://punk666.pu.ohost.de/serverfix/linuxjampded.zip

xvi32 - free and small windows hex editor (if you havent one) http://punk666.pu.ohost.de/serverfix/xvi32.zip