Jump to content

Sign in to follow this  
TeeCee

Beta 1.15 Server Admin Exploit?

Recommended Posts

[EDIT - Panic not, no exploit - my stupidity - but instead a query about running public servers but denying free vote-able admin access 'out of hours']

[FINAL EDIT - Solution = set "voteThreshold=1.1" and this will disable all admin voting]

Hi all,

I am running a Windows-based beta 1.15 dedicated server with the ACE 1.04 addon. Today I remote-desktopped onto my server to discover the following little gem from the console:

13:12:41 Player XXXX connecting.

13:12:44 Player XXXX connected (id=YYYY).

13:13:03 Admin XXXX logged in.

13:13:08 Game restarted

13:13:08 Waiting for next game.

13:13:16 Player XXXX disconnected.

13:13:16 Admin XXXX logged out.

In short, within 20 seconds of connecting, an unknown player to my server and 1 other colleague managed to login as admin and re-start the game (a long running Domination game, thanks).

Is there a known exploit to gain admin access? Or is it just that I haven't locked down the server.cfg excessively as I should? For example, I dumped the signed/hacked sig checking last ngiht after the server repeatedly banned friends with crashes/connection-interruptions mid-game or upon connecting. However, I can't see that some modified PBO's would allow someone to gain admin access to the core server binary...

Thoughts and feedback welcome, and watch your server for this unscrupulous individual.

Regards,

TeeCee

Share this post


Link to post
Share on other sites
  (mr.g-c @ Feb. 20 2009,16:56) said:
He maybe voted himself as admin?

Ftw!  biggrin_o.gif

Share this post


Link to post
Share on other sites

Well this could be embarrassing... smile_o.gif

Does "voteMissionPlayers=0" not prevent this? Is there any addition server.cfg controls I have foolishly missed to prevent self-admin voting? Or is it something everyone has to tolerate?

Ta for the swift pointer, TeeCee.

Share this post


Link to post
Share on other sites

The minute you login in with the server password-you would over-ride him and become admin. smile_o.gif

Edit :-

You could try adjusting:

<table border="0" align="center" width="95%" cellpadding="0" cellspacing="0"><tr><td>Code Sample </td></tr><tr><td id="CODE">voteThreshold=1

So that almost everyone would have to vote him to make him admin?

Although im not quite sure which number it would be '1' ?

Edit2:-

That wont work-lol if he was the only one on! biggrin_o.gif

Share this post


Link to post
Share on other sites

I realise this, but that's not the point.

I want to run a public open server, but when I go to bed I want my perpetual mission (domination in this case) to keep running without some insomniac/foreigner joining at 4am and voting the mission and all it's progress away.

I just reviewed the commands sticky and web but still cannot see anyway of preventing free admin rights to admin-less / empty servers. So again, is this something everyone has tolerated to date and not been questioned before?

Regards,

TeeCee

Share this post


Link to post
Share on other sites

Yeah i know what you mean!

Afaik dont think there's anyway round it bar keeping yourself in the game over night tabbed out. huh.gif

Share this post


Link to post
Share on other sites

The answer to my query has been provided by another admin here (Deady):

set "voteThreshold=1.1" and this will disable admin voting (effectively 120% of all player votes required, impossible).

Case closed.... now if I could burn up this thread....

Cheers,

TeeCee

Share this post


Link to post
Share on other sites
  (TeeCee @ Feb. 20 2009,17:23) said:
The answer to my query has been provided by another admin here (Deady):

set "voteThreshold=1.1" and this will disable admin voting (effectively 120% of all player votes required, impossible).

Case closed.... now if I could burn up this thread....

Cheers,

TeeCee

Clever thinking!

Nice one Deady smile_o.gif

Share this post


Link to post
Share on other sites

*S* make a file called ban.txt and put it in your ArmA folder or its server ArmA folder. The add the game id # only then close. Here's my old OFP "ban.txt"

0

10

100

1000

10000

100000

1000000

10000000

00000000

0000000

00000

000

00

1054501

480414

2868045

2967375

3362781

3196583

3775515

518635

3425200

126073

3103284

601480

3211852

3028018

3607862

760936

3775515

70718

365156

972177

1155472

1267235

2952054

3085762

2955558

2974248

3276427

3451517

2923276

3366105

225987

2923276

100010784

2735357

3358984

1213708

2923276

1080495

306372

3478451

3593666

1399881

3447713

3173808

2717537

102391

239140

262195

432850

2996129

3211852

3340595

3499786

3362771

2717537

2935117

1128515

2731445

3699403

140224

1326245

120746

526117

156750

3644395

873453

175466

3370003

598009

42169702

26461651

691690

598009

42169702

26461651

691690

1275330

3921443

931729

754991

3463944

1315546

2807178

3246836

53084

3817103

3844260

2726484

100020611

100041766

230099

736406

599264

2983111

3709989

3496084

8767

565797

1292608

3453010

3727677

3718071

3458699

1308242

100256098

6787

100271224

100039591

3718475

Now you can ban them as you see fit just keep reviewing your server log to catch them. Good luck. notworthy.gif

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×