WARNING - Malicious servers
#11
Posted 16 September 2014 - 11:23 PM
#12
Posted 17 September 2014 - 06:12 AM
This post has been edited by Nikki: 17 September 2014 - 06:14 AM
#13
Posted 17 September 2014 - 07:00 AM
#14
Posted 17 September 2014 - 11:45 AM
"There is a couple of questions in regard to all of this. How can a content of a particular map package affect a game behaviour in another map? When I have a target practice with bots on my local server it is "ut4_algiers" map. Why is "chronic" map allowed to "disable" UrT bots and load its own? I am aware that assets in one map can cause visual problems in another. Common, and programming, sense tells me that map assets should be limited to affecting the game behaviour only on the map these assets are part of. Which raises a security question. Is it possible for a rogue server to distribute map(s) containing code which would deliberately infect the UrT client with cheatcode signatures, thus compromising UrT anticheat?"
#15
Posted 17 September 2014 - 12:21 PM
Please note that logging out of auth is not a solution to this problem — until the security hole is fixed, you remain vulnerable should you ever log into auth again. Make sure you don’t have any bad maps and do your best to avoid getting any. And, if you haven’t changed your auth key yet, do it. It’s made easy for a reason, you know.
Ladies and gentlemen with a YOLO attitude can of course log out of auth and restart the game before autodownloading, and check the PK3s manually: the bad maps have been repacked with a vm/ folder containing hacked versions of the QVM files. Maps without QVM files — however fishy the originating server looks — are safe. (Maybe.)
The person who spotted this QVM thing was Orbit by the way. D SZ went hunting and found several servers that matched his description.
Beginner’s Guide to Urban Terror (woefully out of date)
Daily Deadnade (Last updated September 9, 2016)
#16
Posted 17 September 2014 - 12:44 PM
Barbatos, on 16 September 2014 - 03:55 PM, said:
There are currently at least four malicious servers trying to steal authentication keys. If your auth is suddenly refusing to work and/or you see “Unknown†in the server list instead of “FREEZEâ€, you probably have connected to one of those servers and downloaded at least one map.
All those maps contain malicious code.
If you think you may be affected, delete all maps downloaded on September 14 or later and change your auth key. Downloading any maps from servers you don’t know well is discouraged until further notice.
Is it only my authentication key they can obtain through this malicious code?
#18
Posted 17 September 2014 - 05:21 PM
Nikki, on 17 September 2014 - 06:12 AM, said:
This happened to me way prior to this announcement. On 4.2.018, Auth working, and the info displayed by the "Server Info" seemed incomplete e.g players connected shown in server list, but incomplete or non of them showing up in server info. And it did show bots.
#19
Posted 17 September 2014 - 06:24 PM
Mr.Yeah, on 17 September 2014 - 05:21 PM, said:
It's always incomplete but it will show at least some of the list. Easier than telling people to get the IP and use the server browser or download qtracker :P
This post has been edited by Nikki: 17 September 2014 - 06:24 PM
#20
Posted 17 September 2014 - 06:54 PM
Maybe it should be forced for the next release. Then a message would appear:
"You need to download a map to play this game. The server you're trying to download map is not in our whitelist, so be careful and don't download map except if you know the server well" then "proceed anyway" or "cancel and return to list".
Well maybe it's too much for 4.2 which is supposed to receive only bug fixes.