Luigi Auriemma

How might I get an exploit and multircon to test on my server to ensure the patches you linked me to, work? Or is there another way of ensuring the patches were installed correctly?

testing is the only way to know if a server is still vulnerable.
the rcon DoS can be tested with: multircon -x -i -b 10 09AZaz -d 100 SERVER PORT
for the other proof-of-concepts refer to the main advisory or the runtime help for the testing programs or the small description (if available) in the proof-of-concept section

How do I know if the patch works? Would it just keep guessing the pass, deny me...?

for example in the case of the rcon block bug, when you run multircon with those specific options and you try to send your valid rcon commands to your server, they will be ignored if your server has the half-second limitation enabled... so in short you can no longer manage your server through rcon until it's under this light flooding.

while if you have disabled the rcon limit with my patch you will be able to send your rcon commands even if the server is under flooding, the only downside is that will be more prone to password guessing attacks, which can be avoided with the usage of a complex password

I tested on server, doesn't seem to guess password "test123". However, my base folder on my own computer does not have the patch and password is not guessed as well for some reason. What am I doing wrong here?

how you can say that it's not guessed?
that multircon command I posted is only for testing the rcon DoS, not the password guessing because if you have not disabled the rcon half-second limitation on your server the 99% of the rcon packets you send are dropped.
then with brute forcing and the half-second limit it would take days to guess that password

Not really much an expert on this stuff really... So... I got a message "Server is not vulnerable." with the q3infoboom, this means that patch was installed correctly?

What I am confused bout, is when I tested the same thing on my comp, on a server I made, hosted from my comp. Says the same thing except as I believe I said before, I don't have the patches installed on my computer.

if your server is not crashed means it's fixed, try also to add the -q getstatus option to q3infoboom for being more secure: q3infoboom -q getstatus IP port

for your second doubt I don't have an answer, you could use a mod with in some way fixes that or you are using other fixes or the hoster uses them... really don't know

Ok... Far as I know, the patch is installed correctly cause the server company I am with, if you look at it's cvar settings, there will be an option that says "Version: Win oct 2003 jampded"... or wvr. When the new patch was installed by the company, the version now shows "-TTO-Superpatched Jun 28 2008" or wvr..

Only issue I can see now is, when you type /download, the server can crash when allowdownload is either enabled or disabled.

Before the patch was installed, it acted as it's suppose to. If you type /download when the patch was not installed, it would just be ignored. Do /download test, it'll kick you and say auto download is disabled, Like it's suppose to.

As said above, when patch was installed, I typed /download, server crash. If I did /download test, ignored and does nothing. Is there a way to block that problem or is it going to have to stay vulnerable like that?

arghhh read only memory.
immediately fixed in the new 0.1.1 version
thanx a lot for the report

Um.. so your saying it's out?

Do you have a link on you please?

It says it's so players cannot download files like the server config, doesn't say anything about fixing the crash when you just type /download. Or does it fix that to?

the crash caused by /download without arguments was a bug in the patch.
the purpose of the patch is avoiding the downloading of files outside the game folder and which don't contain ".pk3" in their name

Server company says that, that a patch was applied so I am thinking that with the allowdownload set to 0 and the patch applied, that it maybe the issue were having.



EDIT for December 5, 2008

>> Founded the problem... The patch "q3dirtravfix" seems to affect the allowdownload when it's disabled which caused the crash. Patches were reinstalled without that patch and it works nicely now. The company didn't really read the instructions fully when it said that the patch was unneeeded if allow download is disabled anyways. JA+ also has it's own method for downloading... Anyways, that is the prob Luigi.

Thanks a lot for your help, this is well appreciated and I have no further questions.