Hello hosters.

I've worked today on the known server crashing vulnerability issues.

You may wish to try this dedciated host, which is fully compatible but should not be crashable by hackers - by the known methods and more.

Please let me know if you come across any problems. You only need to change the LFS.exe file - the rest of the zip is the same as X10.

EDIT : LINK REMOVED DUE TO INSIM BUG - SEE X12 THREAD

Excellent news Scawen! Glad to see this problem is being addressed - keep up the good work.

I hope this will finally end all those imo useless threads about
"are the devs working on these issues" etc.

Great work thx

Nice work Scawen

Anyone who got it in the last few minutes - please get it again as I fixed a bug.

Very good news.

Scawen any news on the buffer over flows i found in lfs the local ones.Any news on the new patch please.Im guessing you got all the emails i sent you with the debugging and poc code's.

GREAT WORK I KNEW YOU WOULD SURPRISE US

Thanks Scawen!

Quote from muhaa :

Scawen any news on the buffer over flows i found in lfs the local ones.Any news on the new patch please.Im guessing you got all the emails i sent you with the debugging and poc code's.

Read my post, then you'll see if there's any news on that.

The answer is no. This fixes the server crashing.

Muhaa, I don't want a conversation about that but I'm going to say one thing to you - you found the file reading vulnerabilities and you asked us to post something recognising that you found them. We thanked you for your help. But then you couldn't wait for the patch to be released and you went and made your vulnerabilities public. That means we won't give you any public recognition at all.

The same for the person who made the server crasher. He also gave the code to the devs and that is great - we thanked him as well. But to make it public so the entire LFS community has problems online is the most annoying thing possible. I have work to do and I don't like being forced to change direction because of hackers releasing programs onto the internet that do nothing but annoy our community.

Thank you for the update,
unfortunately my favourite insim application LFSlapper can't connect to the host anymore, it simply says "No connection could be made because the target machine actively refused it". I only replaced the server's .exe, no configuration changes have been made.
Could you please give us a bit more in-depth informations so that insim applications can be modified to have them working again?
Thanks in advance!

Scawen, my insim application will not connect to the new version, is there a change in insim I/we need to know about because at the moment the insim app just crashes out.

Well there must have been some mix up some where i gave you enough time before releasing the poc code.I sent many emails alot with no replys.

Quote :

That means we won't give you any public recognition at all.

I dont want any public recognition.I sent you all the information you need.But meh any ways good luck.The server voulns had nothing to do with me at all.Atleast it is going to be secure now and much better for the community.I made a choice about the release of the poc code.For reason that none public disclosure is a bad thing.Any way going off topic,Good luck with the fixes.

Without continuing this debate unnecessarily - you sent him the code and he said thanks and said he'd look at it. You set a date, and were trying to force him to do stuff. You don't own Scawen, no-one does. I think this is the problem.

Quote from FM-Failure :

Thank you for the update,
unfortunately my favourite insim application LFSlapper can't connect to the host anymore, it simply says "No connection could be made because the target machine actively refused it". I only replaced the server's .exe, no configuration changes have been made.
Could you please give us a bit more in-depth informations so that insim applications can be modified to have them working again?
Thanks in advance!

Quote from Becky Rose :

Scawen, my insim application will not connect to the new version, is there a change in insim I/we need to know about because at the moment the insim app just crashes out.

Umm, no changes have been made to InSim. Are you sure this isn't some kind of firewall thing? I'll have a look and see if it works on mine.

Quote from muhaa :

Well there must have been some mix up some where i gave you enough time before releasing the poc code.I sent many emails alot with no replys.

Enough time? You gave us about 2 days then made it public. MISTAKE! I was deep in AI code and I am still deep in code. It takes a long time from "deep in code" to "release a patch". You don't understand the complexity of LFS and the development process. I can't drop everything when a hacker finds a small issue. I could have thanked you publically for finding the vulnerabilities, if you had not released it.

I will learn by my mistakes im sure for future releases of any other exploit or poc code.I take this as a valid learning lesson on which i will be more than happy to improve in the future.People make bad mistakes and often make bad decision,But if i could change things i would.Can we drop it before people start to flame.I've admitted i made a mistake and thats all i can say.I thought you guys was not taking it seriously i think it was more than 2 days before the poc was released.

Quote from Scawen :

Umm, no changes have been made to InSim. Are you sure this isn't some kind of firewall thing? I'll have a look and see if it works on mine.

I can assure you a 100% that it is definetly not a firewall thing, the insim application was running fine a minute before i replaced the server's .exe - and that was all i did, no configuration changes!

ditto, our server doesnt actually have a firewall installed, they're not really a server thing.

Quote from muhaa :

I will learn by my mistakes im sure for future releases of any other exploit or poc code.

Just do the right thing and don't release it publicly at all. What were you thinking? The mind boggles at why somebody would deliberately piss off thousands of people. My hero. :rolleyes:

Grow up ffs.

Ffs ive already said i take full responsibility for my actions and will not make the same mistake again what you want blood..This is the way the security industry works and always will.And next time i wont release any thing about it till the patch has been applied.
Lets not turn this into a crap post its good that the fixes have been made.

About the InSim: LTC InSim has connected fine, its being tested on LTC3 atm. I cannot connect myself, as I dont have LFS at work :P

Will keep you updated

**edit** everything seems to be working with LTC.

I confirm I've reproduced and fixed the X11 InSim command line initialisation bug.

It failed if you use the command line or command file.

X12 will be released in a few minutes...

I'll close this thread and start a new one with X12.