Urban Terror Forums: Remote Access -Possible Vuln -i386 & x64 - Urban Terror Forums

Jump to content

 Login | Register 
Advertisement
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

Remote Access -Possible Vuln -i386 & x64 Rate Topic: -----

Smurf /Trolling/ activity

#1 User is offline   whohah Icon

  • Account: whohah
  • Joined: 22-September 11
  • Posts: 1

Posted 29 January 2012 - 10:52 AM

Noticed some strange anomalies during gameplay,ddos etc,file access & other access.

is this related to the ioquake3 vulns? ,please comment .

Setup some audit logs to see what was going on,see logs below .

Whilst playing files such as tcpdump ,firefox,& /etc/passwd are being accessed ,and denied ,but access request is via the urbanterror application appears to be piped through nvidiactl .

This occurs on some servers ,not all ,and there seems to be some chat in regards to these activities .

Thought this had been corrected ?,no guru but these files shouldnt be accessed by the UT executable,one slip on an unpatched system and Valla ,root access via the app,looks like smurfing was attempted.


2:47 AM (17 hours ago)

Include Evince & thumbnailer


type=AVC msg=audit(1326506857.797:109): apparmor="DENIED" operation="open" parent=1 profile="/home/user/Downloads/UrbanTerror/ioUrbanTerror.i386" name="/etc/passwd" pid=6333 comm="ioUrbanTerror.i" requested_mask="r" denied_mask="r" fsuid=1006 ouid=0
type=AVC msg=audit(1326544741.665:463): apparmor="DENIED" operation="open" parent=1 profile="/home/user/Downloads/UrbanTerror/ioUrbanTerror.i386" name="/etc/passwd" pid=10378 comm="ioUrbanTerror.i" requested_mask="r" denied_mask="r" fsuid=1006 ouid=0
type=AVC msg=audit(1326590224.799:58): apparmor="DENIED" operation="open" parent=1934 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=1937 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
type=AVC msg=audit(1326590767.580:59): apparmor="DENIED" operation="open" parent=2117 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=2120 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
type=AVC msg=audit(1327574589.468:58): apparmor="DENIED" operation="open" parent=2150 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=2153 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0

#
looks like the old quake3 bug is still in the code .

http://www.derkeiler...5/msg00168.html

This post has been edited by whohah: 30 January 2012 - 04:26 AM


#2 User is offline   whohah Icon

  • Account: whohah
  • Joined: 22-September 11
  • Posts: 1

Posted 30 January 2012 - 04:20 AM

View Postwhohah, on 29 January 2012 - 10:52 AM, said:

Noticed some strange anomalies during gameplay,ddos etc,file access & other access.

is this related to the ioquake3 vulns? ,please comment .

Setup some audit logs to see what was going on,see logs below .

Whilst playing files such as tcpdump ,firefox,& /etc/passwd are being accessed ,and denied ,but access request is via the urbanterror application appears to be piped through nvidiactl .

This occurs on some servers ,not all ,and there seems to be some chat in regards to these activities .

Thought this had been corrected ?,no guru but these files shouldnt be accessed by the UT executable,one slip on an unpatched system and Valla ,root access via the app,looks like smurfing was attempted.


2:47 AM (17 hours ago)

Include Evince & thumbnailer


type=AVC msg=audit(1326506857.797:109): apparmor="DENIED" operation="open" parent=1 profile="/home/user/Downloads/UrbanTerror/ioUrbanTerror.i386" name="/etc/passwd" pid=6333 comm="ioUrbanTerror.i" requested_mask="r" denied_mask="r" fsuid=1006 ouid=0
type=AVC msg=audit(1326544741.665:463): apparmor="DENIED" operation="open" parent=1 profile="/home/user/Downloads/UrbanTerror/ioUrbanTerror.i386" name="/etc/passwd" pid=10378 comm="ioUrbanTerror.i" requested_mask="r" denied_mask="r" fsuid=1006 ouid=0
type=AVC msg=audit(1326590224.799:58): apparmor="DENIED" operation="open" parent=1934 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=1937 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
type=AVC msg=audit(1326590767.580:59): apparmor="DENIED" operation="open" parent=2117 profile="/usr/lib/firefox-9.0.1/firefox{,*[^s][^h]}" name="/dev/nvidiactl" pid=2120 comm="firefox" requested_mask="rw" denied_mask="rw" fsuid=1000 ouid=0
type=AVC msg=audit(1327574589.468:58): apparmor="DENIED"


# Others have said it looks like this old exploit for Quake3 .
http://www.derkeiler...5/msg00168.html

This post has been edited by whohah: 30 January 2012 - 04:27 AM


#3 User is offline   s.e.t.i. Icon

  •   former FS member   
    Engine Developer
  • Account: seti
  • Country:
  • Joined: 07-November 08
  • Posts: 504

Posted 30 January 2012 - 08:50 AM

Pretty sure this was closed a long time ago, in fact I'm pretty sure ID closed this with the 1.32 Point Release.

I'm curious though, the bug you point to is a server side bug. Your logs show that it's your client making those requests and of them I only see two requests via ioUrbanTerror.i386 that were properly denied access to /etc/passwd. The rest are from Firefox (not the Urt executable).

This looks like client, and ioUrbanTerror.i386 absolutely does not attempt to access any system files. Oh... one last thing... NEVER run a game as root. Just saying...

Your Ubuntu forum post has generated some responses from their experts explaining to you what is happening in your log. I agree with them that you should install this game properly, not run it from an unsecured Downloads folder, and you should NOT run it as root.
Cheers... s.e.t.i.
[img]http://www.urbanterr...ers/13.0.80.png[/img]

Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users

Advertisement


Copyright © 1999-2024 Frozensand Games Limited  |  All rights reserved  |  Urban Terror™ and FrozenSand™ are trademarks of Frozensand Games Limited

Frozensand Games is a Limited company registered in England and Wales. Company Reg No: 10343942