Server Patches
From Call of Duty 2
CoD2 Version 1.0 only
Please note: all information contained in this article applies Call of Duty 2 version 1.0 (does not apply to version 1.3 or any other version)
Denial of Service Attacks
Evil Chinese Hackers have discovered ways that any player can crash a CoD2 version 1.0 server by sending overly long messages or commands. (See: nuke.cfg and nuke2.cfg)
Server Patches
Luigi Auriemma has documented the bugs. http://aluigi.altervista.org/
Luigi has developed unofficial patches for the server binaries to address these bugs. http://aluigi.altervista.org/patches.htm
.lpatch files
Patches are distributed as .lpatch files, which are a custom format for use with his own patching program, Lame Patcher. (lpatch)
Download Lame Patcher
Lame Patcher (lpatch) is the tool that is used to apply the patches.
You can download lpatch here: http://aluigi.altervista.org/mytoolz/lpatch.zip
Local Mirror: http://download.smaert.com/lpatch.zip (version 0.4.4)
The program is for Windows.
Source code for the program is included, which can be used to build lpatch for linux.
Patch 1: message buffer overrun fix (CRITICAL)
This is Luigi's unofficial work-around patch for Call of Duty 2 to fix server crashes caused by a buffer overflow triggered by overly-long messages.
The crash is caused by this: http://aluigi.org/adv/codmsgboom-adv.txt
Windows msg Patch
This patch is for Call of Duty 2 v1.0 for Windows
Luigi Fixes it with a single byte:
I have written a simple patch that requires the modification of only one byte. That is possible limiting the allowed client strings to less than 1024, like about 896 bytes (we need to calculated the maximum visualized string that includes also the client nickname and other parameters!)
Download the patch here: http://aluigi.altervista.org/patches/codmsgfix.lpatch
Local Mirror: (view the patch) http://view.smaert.com/codmsgfix.lpatch
Local Mirror: (download the patch) http://download.smaert.com/codmsgfix.lpatch
Linux msg Patch
The linux CoD2 server is not vulnerable to long message attacks. There is no patch required. If you run a linux server, then you do not need to patch this.
Testing for vulnerability
If you would like to test to see if your server is vulnerable to this attack, please see the Nukes article.
Patch 2: work-around for the va() bug (CRITICAL)
This is Luigi's unofficial work-around patch for Call of Duty 2 to fix server crashes with the error message:
Attempted to overrun string in call to va()
Windows va() patch
This patch was written for CoD2 version 1.3 for Windows. Even though it is for 1.3, this patch will apply and function correctly with CoD2 1.0
Download the patch here: http://aluigi.altervista.org/patches/cod2vawo.lpatch
Local Mirror: (view the windows patch) http://view.smaert.com/cod2vawo.lpatch
Local Mirror: (download the windows patch) http://download.smaert.com/cod2vawo.lpatch
Linux va() patch
This patch will work for CoD2 version 1.0 for linux.
Download the patch here: http://aluigi.altervista.org/patches/cod2vawo10linux.lpatch
Local Mirror: (view the linux patch) http://view.smaert.com/cod2vawo10linux.lpatch
Local Mirror: (download the linux patch) http://download.smaert.com/cod2vawo10linux.lpatch
Testing for vulnerability
If you would like to test to see if your server is vulnerable to this attack, please see the Nukes article.
Patch 3: remove rcon rate limiting (OPTIONAL)
This patch is used to prevent a potential Denial of Service condition in the rcon service that is caused by brute-force attempts at guessing passwords.
The Original Problem: People use crappy rcon passwords. Hackers try to brute-force guess crappy rcon passwords.
The Original Solution: Activision attempted to mitigate this problem by enforcing a delay between rcon commands. This slows down the rate at which guesses can be tried. Activision added a feature to the CoD2 server that only allows 2 rcon commands per second. If more rcon packets arrive within that window, they will be discarded. This slows the rate at which passwords can be guessed.
The New Problem: If someone is trying to guess passwords as fast as they can (ignoring the 2 per second delay), Activision's solution will prevent legitimate admins from being able to execute rcon commands.
The New Solution: Remove the rcon rate limit. Luigi provided a patch for this. It removes the rate limit on rcon commands and allows commands or guesses to be executed as fast as possible.
The Drawback to the New Solution: Applying this patch will prevent outside hackers from being able to lock out rcon commands for legitimate users, but this patch also makes it easier (faster) for hackers to guess the rcon password. This patch is a trade-off, which is why I consider it optional. If you apply this patch, please make sure that you have a strong unguessable password.
Windows rcon Patch
This patch does NOT appear to work on Windows servers for some reason.
Linux rcon Patch
This patch IS functional for Linux-based servers.
Download the patch here: http://aluigi.altervista.org/patches/q3rconz.lpatch
Local Mirror: (view the patch) http://view.smaert.com/q3rconz.lpatch
Local Mirror: (download the patch) http://download.smaert.com/q3rconz.lpatch
Patch 4: work-around for the voting bug (CRITICAL)
This is Luigi's unofficial work-around patch for Call of Duty 2 to fix server crashes with the error message:
Sys_Error: FS_BuildOSPath: os path length exceeded
This bug only affects servers that have voting enabled.
Original Patch for version 1.3
Luigi released a version of this patch for CoD2 version 1.3, however this patch does not work for CoD2 1.0
You can download Luigi's original patch for version 1.3 here: http://aluigi.org/patches/codmapboffix.lpatch
Local Mirror: (view the 1.3 patch) http://view.smaert.com/codmapboffix.lpatch
Local Mirror: (download the 1.3 patch) http://download.smaert.com/codmapboffix.lpatch
Windows voting patch for version 1.0
As of this time there is no known fix for this bug under Windows.
If you need to defend against this bug on a Windows CoD2 1.0 server, turn voting off.
Linux voting patch for version 1.0
smugllama back-ported Luigi's original patch from version 1.3 to 1.0.
This patch fixes the voting bug on linux CoD2 1.0 servers.
Local Mirror: (view the linux patch) http://view.smaert.com/codmapboffix10linux.lpatch
Local Mirror: (download the linux patch) http://download.smaert.com/codmapboffix10linux.lpatch
Testing for vulnerability
If you would like to test to see if your server is vulnerable to this attack, please see nuke3.cfg in the Nukes article.
Pre-patched Hardened Binaries
If all of the patching process is too much for you to handle, I also offer the option of downloading a pre-patched server executable to make it easier for noob admins.
Pre-patched Windows CoD2 1.0 Server
This is CoD2MP_s.exe for CoD2 1.0 with both Patch 1 and Patch 2 already applied.
- Shut down your CoD2 server.
- Open the folder where you installed CoD2. Usually, this is in: C:\Program Files\Activision\Call of Duty 2\
- rename your existing CoD2MP_s.exe to CoD2MP_s.backup.exe
- Download the replacement exe here: http://download.smaert.com/CoD2MP_s.exe
Pre-patched Linux CoD2 1.0 Server
You can download pre-patched linix binaries here. Be sure to back up your original cod2_lnxded and then replace it with one of these two:
With Patch 2 and Patch 4
This is cod2_lnxded for CoD2 1.0 with Patch 2 and Patch 4 already applied.
Download it here: http://download.smaert.com/cod2_lnxded.tar.gz
With Patch 2, 3, and 4
This executable also has the rcon rate limit removed (Patch 3)
This is cod2_lnxded for CoD2 1.0 with Patch 2, Patch 3, and Patch 4 already applied.
Download it here: http://download.smaert.com/cod2_lnxded.norconlimit.tar.gz
Copyright Compliance
It is distinctly possible that Activision may take issue with me distributing their server executables, so I am including contact information in case there is a problem with this.
Activision: If this is a problem, please notify dmca@smaert.com and I will take down the offending content immediately.
