Sitemap

 - news
 - newsarchive
 - overview
 - faq
 - installation
 - help
 - commands
 - scripting
 - plugins
 - fun
 - the team
 - credits
 
 - AM online store
 - SourceForge
 

Download

 - Linux v.2.50.60
 - Win v.2.50.60
 - older versions
 - tools
 

Support us


Support us

Community

 - forum
 - support
 - suggestions
 - mailinglists
 - irc channel
 

Choice


Get Firefox!
   

Admin Mod NEWS

 

Two Admin Mod exploits found 13.01.2003

Two serious exploits have been found in conjunction with Admin Mod. The first is a server exploit attacking Half-Life servers. It exploits a bug in Admin Mod and can result in arbitrary code being executed on the server that the HLDS runs on. A published exploit targets Linux servers and opens a shell on the server. The second one exploits a flaw in HL (and MOD) clients. This second exploit is not directly linked with Admin Mod. But Admin Mod, just like other server tools, can be used to send specially prepared messages to HL clients which can result in arbitrary code being executed on the client machine.

For both exploits Admin Mod commands must be issued directly on the server, i.e. by typing into the server console or using rcon. Here are some simple rules which you should follow (at all times) to keep your server safe:

*) Do not run your server as the root user or from the administrator account. Use a seperate user with restricted access rights to run your HL server as. This way, if an attacker succeeds in opening a shell on your server machine, it will not have root priviledges.
*) Disable Rcon by setting rcon_password to "". You are using Admin Mod; use it's access methods to administrate your server, not Rcon. If you have to use Rcon for other tools, give the Rcon password only to people you trust. Also be aware that the Rcon password can be sniffed from the network traffic since it is send in cleartext.

We have addressed both exploits in version 2.50.51 of Admin Mod. The first (server) exploit was stopped by fixing the bug in Admin Mod.
The second (client) exploit cannot be safely fixed by Admin Mod since the bug sits in the client code, not Admin Mod code. Nevertheless, we have added checks to Admin Mod, which will prevent the use of non-printable characters in Admin Mod commands and in messages send to clients. This prevents the published client exploit from using Admin Mod as a method to attack clients. As these checks may add some extra stress on weak server machines, you can disable it if you have secured your server by other means. To disable it, add the option "prex0" to the amv_anti_cheat_options options cvar. (Check the manual to learn more about Admin Mod's option cvars.) Be aware that the bug still exists in the client and may be exploited in a different way sometime. Ask the vendor/author of your MOD for a fix of this bug.


The updated DLLs are available for download. Replace your current Admin Mod DLLs with the new versions.

Linux: 2.50.51     2.50.51 (MySQL)

Win32: 2.50.51     2.50.51 (MySQL)

Many thanks to the guys from void.at for finding these bugs. (But, dude, next time drop us an email in advance, please.)

-[ florian ]-


Commandline version of Windows AMX converter 03.01.2003

Until now only a GUI version of the AMX converter, which converts compiled script files (.amx) between Win32 and Linux format, was available for Windows. We have now released a commandline version for Windows. You can use that from a DOS box or from a batch file to check the format of an .amx file or to convert it between Linux and Windows format.

-[ florian ]-



 

Poll

Would you like Admin Mod to support MS SQL Server?
Yes
No
What is MS SQL Server?
Why?!

Results

Affiliates

 - AScript
 - MetaMod
 - Adminmod.de
 

Sponsors


OzForces.com


www.boomtown.net


SourceForge.net Logo

Freedom


 
 

Get Halflife Admin Mod at SourceForge.net. Fast, secure and Free Open Source software downloads.    CS Server     ||    

  [ Half-Life Admin Mod Alfred Reynolds 2000-2017 ] - [ site design and programming by Jägermeister ]