BaseJKA Security Fix

Miscellaneous programs and scripts, opensource or not, and sometimes, random mathematical stuff.
User avatar
Maikoru
Jedi Perpétuellement Affamé
Posts: 485
Joined: Sun Aug 27, 2006 11:15 pm

Re: BaseJKA Security Fix

Post by Maikoru »

Je l'ai fais avec putty.
Dans le menu de maintenance, c'est écrit mettre à jour vers BaseJka 1.2.
Je suis tout de même pas fou :o

http://www.gamall-ida.com/f/download/file.php?id=432
"..." -- Link
Gamall
Hic sunt dracones
Posts: 4174
Joined: Fri May 26, 2006 11:09 pm
Contact:

Re: BaseJKA Security Fix

Post by Gamall »

Basejka 1.2 n'est pas Basejka Security Fix 1.1a :langue

http://jediknight3.filefront.com/file/BaseJKA;63098
vs
http://www.gamall-ida.com/f/viewtopic.php?f=3&t=120

J'ai fait l'interface admin des serveurs bien avant d'écrire BaseJKA Security Fix. Donc j'ai utilisé tout ce que j'avais sous la main pour protéger un serveur base des crash courants, et il se trouve que c'était Basejka 1.2. Je n'ai pas mis l'interface à jour depuis.

Mais Basejka 1.2 n'est pas mon mod, n'a rien à voir avec moi, et est closed-source donc seul l'auteur peut regler ses problèmes.

Si ce que tu veux est protéger ton serveur des crashs, je te suggère d'utiliser la version 1.1a de mon mod; la dernière version est là viewtopic.php?f=3&t=356 . Et là c'est bien à moi qu'il faudra signaler les bugs du mod s'il y en a, et tu seras sur le bon topic :langue

Pour installer mon mod , il suffit de remplacer le jampgame du serveur par celui fourni; c'est d'ailleurs tout ce que fait l'interface SSH que j'avais écrite.

Voili :huhu
{<§ Gamall Wednesday Ida §>}
{ Mods and Programs - Mods TES-IV Oblivion }
User avatar
Maikoru
Jedi Perpétuellement Affamé
Posts: 485
Joined: Sun Aug 27, 2006 11:15 pm

Re: BaseJKA Security Fix

Post by Maikoru »

Merci, c'est plus clair comme ça. :slurp
"..." -- Link
User avatar
BSzili
Posts: 3
Joined: Sun Feb 21, 2010 11:32 pm

Re: BaseJKA Security Fix

Post by BSzili »

I know you stopped working on this mod, but aluigi discovered a very serious exploit, which allows you to change the server's rcon password, or any cvar via voting. http://aluigi.org/poc.htm#q3cbufexec
There's a fix for it too: http://bugzilla.icculus.org/attachment. ... ction=edit
People keep attacking my server with it, rewriting my config. :snif Sadly other basejka versions (including 1.2) are vulnerable. Could you - by any chance include this fix it in your mod? :quoi
Gamall
Hic sunt dracones
Posts: 4174
Joined: Fri May 26, 2006 11:09 pm
Contact:

Re: BaseJKA Security Fix

Post by Gamall »

Hello,

My, my... there are so many issues with callvote...

As you noticed, I am retired; I do not have the game installed, nor the tools to compile mods -- definitely not on Windows anyway. It might compile on my Linux system, but since it is not the same system which I used to compile the mod on, the results are more or less unpredictable (depending which compiler I used I had the same code give very different results... the beauty of "hand-optimized" C...), and again, I don't even have the game to test it.

If you are hosted on a Linux server and feeling really desperate, I could try to compile it and give you the binary {edit: tried that, it doesn't compile on my system; unless there is a trick I don't remember.}. If it works well, great. If not, too bad. If you are hosted on Windows, you're on your own.

This being said, even if you are on windows, if it is really important to you, my mod is entirely open source, so nothing prevents you from getting the code, applying the patch, compiling and playing happily ever after ;) (though you may need MS Visual studio for that, I don't know if it will compile with the GNU toolchain on windows)
People keep attacking my server with it, rewriting my config.
If it's that bad, simply deactivate voting. Playing without vote is still better than a hostile server takeover.
The code I see here seems incomplete to me. I believe both \n and \r could be used as separators, as per humbaba's explanation. Yet this code only tests against \n. To be safe, I'd add a similar test for \r.
{<§ Gamall Wednesday Ida §>}
{ Mods and Programs - Mods TES-IV Oblivion }
User avatar
BSzili
Posts: 3
Joined: Sun Feb 21, 2010 11:32 pm

Re: BaseJKA Security Fix

Post by BSzili »

Sorry for bothering you with old stuff :) In fact i already tried to fix the problem myself, but checking against \n had no effect. Maybe because they're using \r :huh
User avatar
BSzili
Posts: 3
Joined: Sun Feb 21, 2010 11:32 pm

Re: BaseJKA Security Fix

Post by BSzili »

Oookay, i added a check for \r too, and i think it did the trick. Thanks a lot for drawing my attention to it! ;)
User avatar
yberion
Posts: 19
Joined: Wed Feb 17, 2010 6:12 pm

Re: BaseJKA Security Fix

Post by yberion »

BSzili wrote:I know you stopped working on this mod, but aluigi discovered a very serious exploit, which allows you to change the server's rcon password, or any cvar via voting. http://aluigi.org/poc.htm#q3cbufexec
There's a fix for it too: http://bugzilla.icculus.org/attachment. ... ction=edit
People keep attacking my server with it, rewriting my config. :snif Sadly other basejka versions (including 1.2) are vulnerable. Could you - by any chance include this fix it in your mod? :quoi
Hey !

Linux or windows ?

If u use windows u can download the very last ( 10/03/2010 ) fix here : http://www.megaupload.com/?d=AG2CA47R

Include :

Fix /say aaaaaaaaaaaaaa (buffer overflow exploit)
Fix ForceString bug !
Fix /callvote map "mp/ffa3;rconpassword lol"
Fix Anti-hack download ( /download base/server.cfg ) by bobafett
Fix crash by callvote
and other fix
User avatar
yberion
Posts: 19
Joined: Wed Feb 17, 2010 6:12 pm

Re: BaseJKA Security Fix

Post by yberion »

User avatar
K.I.T.T. Mace {L}
Posts: 5
Joined: Sat Jan 14, 2012 2:13 am

Re: BaseJKA Security Fix

Post by K.I.T.T. Mace {L} »

Hey Gamall

We have a problem with a player called "boxer". He crashes our servers many times with the crash "Info string length exceeded". I think your fix should get this problem, too, but it doesn't work for our servers. Could you pls explain me more detailed, what we have to do with your files. We have both fixes, the first and the second version. I would be really happy if you contact me via e-mail or give me a detailed explanation, what we have to do after downloading it cause simply extract it into base folder doesn't work. so WHICH files need to be in base and what else do we have to do!?

Thanks in advance

K.I.T.T. Mace {L}
Gamall
Hic sunt dracones
Posts: 4174
Joined: Fri May 26, 2006 11:09 pm
Contact:

Re: BaseJKA Security Fix

Post by Gamall »

The mod's main file, depending on server OS
Windows : basejka_Gamalls_fix_11.pk3
Linux : jampgamei386.so
goes into base. Reboot the server. That's it. The gamename should change to reflect the fact that the server is running the mod.

Of course that applies only for base servers, not japlus etc.

Please note that I have long retired from the JKA scene, and am completely out of touch with the new cracks which might affect it. Hell, even with the old ones, now....
{<§ Gamall Wednesday Ida §>}
{ Mods and Programs - Mods TES-IV Oblivion }
User avatar
K.I.T.T. Mace {L}
Posts: 5
Joined: Sat Jan 14, 2012 2:13 am

Re: BaseJKA Security Fix

Post by K.I.T.T. Mace {L} »

ok we put it into base.
the server works but we can't connect to it because it shows us after connecting the error "Client/Server game mismatch: basejk-1/basejka-1"
so what do we have to change so that players can join?
and does your fix also works for the forcecrash "/set forcepowers ..." (don't want to explain it exactly because maybe noobs use it after reading it^^) ??
we already tried buffer overflow and it shows us in the server console "ANTICRASH (...)", so the fix against "jamsgbof" works!! =)
Gamall
Hic sunt dracones
Posts: 4174
Joined: Fri May 26, 2006 11:09 pm
Contact:

Re: BaseJKA Security Fix

Post by Gamall »

K.I.T.T. Mace {L} wrote:"Client/Server game mismatch: basejk-1/basejka-1"
Err... are you a jk2 or jk3 user ? My patch is for jk3 only.

To clarify; the exploit and the code fix apply to both games, but the compiled binaries which I distribute are only for JKA -- someone would have to apply my fix and compile binaries for JK2. It's not difficult but you need tools and a little programming skills. Though I believe JediDog (evan1715 on this forum) had done so -- I might remember wrong -- it's been a while. And he might have retired as well. If you are on jk2 you might want to read his posts here in detail, and try to contact him by PM if you do not find information about his mod by doing so, or if the links are dead. Hopefully his mail here will still be valid.

edit: ok, strike the above; that message may mean that you use JKA 1.00 instead of the latest official version: 1.01. Old 1.00 cannot be patched, because the SDK is not available. (well it can, but it's orders of magnitude harder to patch binaries than source code, so nobody is going to do it).
K.I.T.T. Mace {L} wrote:and does your fix also works for the forcecrash "/set forcepowers ..." (don't want to explain it exactly because maybe noobs use it after reading it^^) ??
Yes, in the latest version (1.1a, I think). There is a whole topic about that.

viewtopic.php?f=3&t=356

That's the version you should use anyway, it has all the fixes of previous versions.
{<§ Gamall Wednesday Ida §>}
{ Mods and Programs - Mods TES-IV Oblivion }
User avatar
K.I.T.T. Mace {L}
Posts: 5
Joined: Sat Jan 14, 2012 2:13 am

Re: BaseJKA Security Fix

Post by K.I.T.T. Mace {L} »

oh damn...i thought BaseJKA is 1.00 (because of BASE^^)...ok then no fix for us =D
we didn't want to update cause we have Knights of the Force, too, which is 1.01, but our problem is, that we can create a server, but it's not online and we don't know why...
Gamall
Hic sunt dracones
Posts: 4174
Joined: Fri May 26, 2006 11:09 pm
Contact:

Re: BaseJKA Security Fix

Post by Gamall »

No, basejka is jka without mods. Version 1.00 is long deprecated and nobody should be using it.
K.I.T.T. Mace {L} wrote:we didn't want to update cause we have Knights of the Force, too, which is 1.01, but our problem is, that we can create a server, but it's not online and we don't know why...
I don't understand what you're saying here. KotF should be completely irrelevant to the discussion, it's yet another mod.

1° update your server to 1.01. It will disappear from 1.00 master lists, of course.

2° update your client to 1.01. It won't see 1.00 servers anymore, but will see 1.01 servs. Including your own.

3° Optionally, add mods, such as my fix, KotF, JA+ etc. They only work with 1.01.
{<§ Gamall Wednesday Ida §>}
{ Mods and Programs - Mods TES-IV Oblivion }
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 254 guests