Hey again,

I was looking for smt on YT, and I found this:

http://www.youtube.com/watch?v=LQ32itAikCE

Small footage demonstrating a quick remote code execution exploit by hosting a specially crafted jj2 level to take control of a remote host. Note: This is not a tutorial on how to perform this kind of hacking, don't ask me for one.

Is it true? If it is, then someone needs to fix this bug, before others will discover it.

Regards,
Xx

Knowing Overlord, it probably is true.

But I'm pretty sure hacks like these have been around for at least two years now. No ne has seriously targeted JJ2 yet.

I thought about doing that, but i never tried to.

A truely malicious version of this would install a bot/rootkit on the victim's computer instead of just spawning a shell.

Limited rights will stop this, using Vista or Windows 7 with UAC will stop any major harm done as the application (jj2) would be run with little user rights. XP users however running with admin rights would be screwed.

This exploit isn't something you need to worry too much, the only people who have any idea how to do this (and you could probably count them on one hand) aren't going to abuse it or let the information out. Newspaz is right in that this sort of thing has been known about for some time.

The fact remains that jj2 has some major security holes though, and it's something that would be good to fix. The stuff shown in this video isn't even the worst that's possible.

not like anyone would actually join a server hosting battle1 XD.

Even though alot in theory can be done, I dont see at as a huge threat. Nowadays most people either join friends servers or the major dedicated ones, so falling for this isnt very likely.

Also I agree with Evilmike, people who have this and actually know how to use it areny very likely to abuse, and if they do, well its not the end of the world. Theres a limited amount someone can do from command prompt and even if your computer gets screwed, thats what backups are for.

Theres a limited amount someone can do from command prompt and even if your computer gets screwed, thats what backups are for.
There is literally no limit to what can be done. The command prompt in the video is just an easy demonstration, and even with that alone you can pretty much do anything you want.

If you can hijack someone's computer like in that video, uploading a trojan or virus is trivial. If your computer gets compromised in this way, the person on the other end can do whatever they want to. There really is no limit, and if they are smart about it, you won't even notice that they hacked you.

The best protection is what nimrod mentioned: don't run your computer in admin mode.

The command prompt might be limited, but if someone manages to install a Remote Administrative Trojan/Tool on your computer, you are screwed.

Depends on how it's configured. If there's no signature for whatever shellcode or rootkit is being used, and the firewall is configured to generally let stuff through, then it may never warn about this.

I have seen computers with current anti-virus definitions and a reasonably secure firewall get owned by trojans.

who'd do that?maybe he was accessing his other computer.

what about this.

mkdir dood/has/been/caught/on/tv/you/idiot/:P
It was just a joke.
but seriously,who'd do that?

lol you got owned