Version 0.2.8.3.2 of the multiplayer lightcycle game Armagetron Advanced has been released, fixing several vulnerabilities.
The most important vulnerability let modified clients send servers into infinite loops by exploiting a bug in handling the very, very old cycle turn command protocol.
The second vulnerability allowed anyone with enough access rights to execute "/admin include" to gain owner rights on a server and take it over for as long as it kept running.... read more
It took a while, but the long expected release 0.2.8.3 of the Multiplayer Lightcycle game Armagetron Advanced is finally here.
Polishing existing things has been the focus of this release. This version handles lag better than any version before it, rendering performance has been increased, and there were many small victories in the ever continuing war against spam. One new big feature made it in, too: players are now able to authenticate to game servers using a distributed protocol, thus making organized competitive play that much easier and the life of impostors and trolls harder.
Two attack possibilities have been discovered that let anyone shut down or freeze a game server with a modified client. Aditionally, remote administrators can freeze a game server with commands that produce too much output. Versions 0.2.8.X are affected by all three; version 0.2.8.2.1, fixing them all, is available in the file release section.
Other versions are vulnerable to the server shutdown exploit, too; there, a crash can be caused. Patches for 0.2.7.X, 0.2.6.X and 0.3.0 are available in the patches section. Let us know which versions are in active use in binary form, we'll consider full releases for those who can't use a source patch.... read more
Armagetron Advanced, the multiplayer lightcycle game, just got a new minor release.
Some smaller improvements and bugfixes went into 0.2.8.2. Console and chat now have a history function, spectators are now visible to other players so they can chat and be kicked, and team management has been sanitized a bit. It should be a safe upgrade for all users of 0.2.8.1.
The next release is planned to be the experimental release 0.3.0, showcasing where we're going. There is also going to be a 0.2.8.3 with more small improvements later.
All 0.2.8 beta and release candidate versions of Armagetron Advanced and 0.2.8.0 itself are vulnerable to file path related attacks. Versions 0.2.7.1 and earlier lack the features that introduce the vulnerability and are safe.
There are two attack scenarios: In the first, a malicious server administrator can use a forged MAP_FILE path to inject files in arbitrary places on the clients as long as no file already exists there. This has been fixed in version 0.2.8.0. In the second scenario, a malicious remote server administrator can read partial content of every file the server has access to. Whole private ssh and gpg keys can be read. This vulnerability has been closed in 0.2.8.1.... read more
Recently, some security vulnerabilities in Armagetron Advanced have been made public. Read more here:
As a response, version 0.2.7.1 fixing these problems has been made available. It also fixes several large and many small annoying bugs, like the rip bug and client/server cycle synchronization problems. Please see the release notes for more information.
The development team is pleased to announce version 0.2.7.0. Enjoy!
Our development team is proud to announce "Armagetron Advanced" - which includes several new features that have been added to Manuel Moos's original Armagetron. This project is currently preparing documentation and configurable options.
More news will follow regarding our release when the appropriate time comes.