ULX exploit and/or bug.

[NaRyan]

Got it installed on my 3 servers now.
Only "used" it on my TTT server and I do have one little problem.
On map change I have to re-connect for ULX to work for me.

If I try to use any ULX commands or change any settings it does not do the commands or change settings.
However if I re-connect then it works fine.

[Megiddo]

NaRyan, even though it works fine for me I had forgotten about the really annoying bug of utter mystery, sorry about that. I'll be switching over the data transmission to another method shortly, so let me know if it fixes it for you.

Edit: Changed in ULib rev 185. Be sure to let me know if this fixes it for you NaRyan, as I have never been able to replicate this problem on my test server.

[NaRyan]

Ahh cool thanks
I'll let you know how it goes once I get a chance to update my servers....

*edit*
I tested it on my sandbox server, and after changing map I was still able to change settings and use Admin commands.

[JamminR]

CURSE YOU!

You're sadly awesome

Most interesting complement I've heard in a while.
Kudos!


We hope the changes made help in overall anti-exploitation, but, as this is a Source issue..those abusing it may know other ways around using ULX.

[krooks]

Ok so people on the FP thread are suggesting that we disable rcon, I'd rather not ask there how to go about doing that (for obvious reasons), anyone here know how to completely disable rcon?

[Pantho]

Ok so people on the FP thread are suggesting that we disable rcon, I'd rather not ask there how to go about doing that (for obvious reasons), anyone here know how to completely disable rcon?

Many ways, disable the port, set it to no password.

Not really sure why you would disable Rcon, I mean long as your not silly enough to set it inside a config and use command line.

I don't think there are many exploits that directly get rcon like there suggesting. Just make your rcon something long and obscure I normally go for #randomwords@841235#smells@ etc

[krooks]

ah ok, thanks for the information, I'll just go TheL0ngPassw0rdR0ut@! 
also by not setting in a config, do you mean not to have it in server.cfg? Then where should it go?

I don't and have never used rcon, so I'm very nooby about it.

[JamminR]

not to have it in server.cfg? Then where should it go?

If you're going to enable it (by setting a password instead of rcon_password "" (which disables it)), you use a command line option in server startup.
I forget if you use a plus (+rcon_password) or minus (-rcon_password), but many Source exploits ago, it was recommended the command line option be used.

[krooks]

ah ha, thanks again guys!

[Aaron113]

It's +rcon_password

[NaRyan]

I updated Ulib on my 3 servers, and ULX commands now work fine after gamemode\map change

[Megiddo]

I updated Ulib on my 3 servers, and ULX commands now work fine after gamemode\map change

Thanks, NaRyan!

[Pantho]

If you're going to enable it (by setting a password instead of rcon_password "" (which disables it)), you use a command line option in server startup.
I forget if you use a plus (+rcon_password) or minus (-rcon_password), but many Source exploits ago, it was recommended the command line option be used.

Not as long as you think.

The exploit got a refresh recently, still private. Might be patched again I've no idea.

But, here was a new download exploit around 1 month ago.

[krooks]

Ugh, not another download exploit..
Now that I look at it, I still have my sv_allowupload/download settings at 0, from the last time

[ceribik]

There appears to be some variation of this exploit floating about... similiar things are happening again

admin timesout --> admin rejoins --> ulx command is spoofed

I'm not entirely sure how this is working now that the server + client share a secret key, but i want to emphasise that this occurs when the admin rejoins and not while the admin is dc/d (like in the original variation of this exploit).