Q2Admin 1.17.44 Released - CRITICAL UPDATE

[R1CH]

While reviewing the Q2Admin code, I have discovered several critical vulnerabilities in the handling of certain commands that can lead to arbitrary code execution. An updated version, 1.17.44, is now available. Please update any servers using 1.17.43 immediately and please notify any admins you personally know who may be running vulnerable versions.

Linux binary:
http://r-1.ch/q2admin-1.17.44-linux-update.zip

Win32 binary:
http://r-1.ch/q2admin-1.17.44-win32-update.zip

Source code:
http://r-1.ch/q2admin-1.17.44-source.zip

Changes:

• Patched two critical security bugs exploitable by remote users.


• Patched a security bug exploitable by users with rcon.


• Improved 'whois' command so it does not crash the server.


• Long lrcon commands should no longer crash the server.


• Removed broken NoCheat 2.34 version checking.


• Added proper GPL headers to the source code.

Full details of the security issues will be released in three months.

[WHO]

thx mate, can I ask:

Patched a security bug exploitable by users with rcon.


..........................:/ 

or should I ask privately in this matter?

[Xtife]

are you maintaining q2admin now?

just wondering if this would be betetr then ar-admin

[incith]

Is there a list of all the new settings since the last release on planetquake somewhere?

Also, great job R1CH, all around.. you have many a project.

Edit: And hello everyone!

[Bossman]

 Here is one from iENO

Sorry bout that pasted wrong one here.

[incith]

Is that the correct thread?

Edit:
Decided to search, had searched before mind you, but this time I searched for iENO in advanced search
http://www.r1ch.net/forum/index.php?topic=253.0

Thanks.

[quadz]

Kick-ass, r1ch !!

On behalf of your fans at tastyspleen, YOU ROCK !!!!



never-quadz

[incith]

So I was setting up a server tonight for our clan, it was working fine, then I added q2admin (latest release by you), and now both r1q2ded and r1q2ded-old die saying that gamei386.so.real is API version 0.. both r1q2ded and -old run the .so when it is used without q2admin..

This is under Linux.

Regards~

Edit: Oops! Bleh. I had it .so.real. *laugh*

[dk_sn1p3r]

iENO can you post your configs for the latest version of q2admin possibly i have no idea what all the new features for q2admin are and don't have the latest configs...

Any help would be appreciated!

Thx

[Cocolino]

command "!mute" does not work properly.
maybe you can include this commant to r1q2ded ? 

[Bossman]

  Are you doing it like thiis?

sv !mute matt  400

That would shut matt  up for 400 seconds

sv !mute [LIKE/RE/CL] name [time (seconds)/PERM

Hey dk_sn1p3r go up a few spots to  incith  he gots the page there.

[QwazyWabbit]

What causes message "%s tried to flood the server (2)" to be sent by q2admin 1.17.44?

[Snake]

Too many userinfo changes sent. From the q2admin.txt that I have:

; there's an exploit in q2admin which means that if you send a lot of
; userinfo changes to it then it overflows it's command
; queues and actually makes the player invisible to the q2admin but not
; the game or server.  this means none of q2admins checks will work.
; don't worry it's not commonly used but we did see that it was being used
; in the id3 modified ratbot as another level of throwing q2admin.
;
; this exploit can also be used to crash the server often with wierd
; messages like bad magic overflow (iirc).

; maximum amount of times a player can change their userinfo before being
; kicked for server flooding
;
userinfochange_count "40"


; amount of time in seconds a player can reach their maximum number of
; userinfo changes
;
userinfochange_time "60"

[QwazyWabbit]

Thanks Snake,

That's exactly what was happening. The player had a hand 2/0 change in his attack binds.

QW

[R1CH]

Full details of the security issues will be released in three months.

Buffer overflow in admin/refereee logging code allows arbitrary code execution by any client. sprintf() of command line into 256 byte buffer, game over.
Buffer overflow in rcon password exploit logging function allows arbitrary code execution by any client trying to exploit the rcon password. sprintf() into 256 byte buffer with user-supplied parameters, boom.