[cod] A word of advice
B.M. Schiltmans
b.m.schiltmans at planet.nl
Wed Jan 20 03:32:17 EST 2010
I highly doubt that this is exploited trough the game. The way I see it:
- You connect to some server with http-redirect enabled, and note or
memorize the http location that the downloads come from.
- Start a browser, and go to the http-redirect-site
- If you're 'lucky', you can see the cfg-files, either by browsing the
directories, or by guessing the .cfg name(s)
As an admin this can easily be prevented by any of the following:
- Don't store config-files on the http-redirect, in fact, just store
files there that actually need to be downloaded. Of course this only
works if you have an separate redirect-space.
- Instruct your webserver to not allow acces to thing like .cfg, .txt,
etc etc
- As an extra security/obscurity, just disable directory-browsing. Let's
not make anyone any smarter than they need to be ;-)
That should do the trick. Oh and one more thing (I learned the hard
way), NEVER EVER use the rcon password for something like an os-user. IF
someone finds out the password,.....
As a sidenote for clan-based servers. Clans often want to update their
usermaps all at once instead of on every map change. In this case the
http-redirect is not ideal, so we use rsync to do that. When the server
has updated maps, I send an email, and all they have to do is click some
desktop-icon to update their own set. We implemented is because cod5
crashes a lot when it has to get an updated version of some map.
Grtz
Bram
Tomé Duarte wrote:
> I believe when you're using HTTP redirect the gameserver automatically
> redirects all downloads to the configured URL. However, a custom
> application to exploit this misconfiguration may somehow be able to
> download the server.cfg; this depends on the server code but it's
> highly probable that it redirects the request to the webserver.
>
> Does anyone have any more info on this vuln? Is it just the
> sv_allowdownload cvar or are there any other "requirements"? Is there
> a published vuln report or exploit?
>
> Cheers,
> Tomé Duarte
>
> Connect with me via:
> Twitter: http://twitter.com/tomeduarte
> LinkedIn: http://www.linkedin.com/in/tduarte
>
>
> On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <gitman at gmail.com
> <mailto:gitman at gmail.com>> wrote:
>
> I do... I was under the impression that sv_allowdownload had to be
> enabled in order for HTTP redirect to work. Is that not the case?
>
>
> On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master
> <mavrick.master at gmail.com <mailto:mavrick.master at gmail.com>> wrote:
>
> Do you have the http redirect setup?
>
> If not, may I suggest you set this up and in the off-server
> http location only store the mod and not your config files.
> This should solve your problem.
>
>
> Daniel 'mavrick' Lang
> www.mavrick.id.au <http://www.mavrick.id.au>
>
>
> On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas <gitman at gmail.com
> <mailto:gitman at gmail.com>> wrote:
>
> That's correct.
>
>
> On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master
> <mavrick.master at gmail.com
> <mailto:mavrick.master at gmail.com>> wrote:
>
> The client auto-download was used because I presume
> you are running a mod?
>
> Daniel 'mavrick' Lang
> www.mavrick.id.au <http://www.mavrick.id.au>
>
>
>
> On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli
> <hannu at shadowstyle.nl <mailto:hannu at shadowstyle.nl>>
> wrote:
>
> well after they got the rcon pass they could
> change all non write protected
>
> > But they could only download and view, not
> edit.correct?
> >
> >
> >
> > From: Geoff Goas [mailto:gitman at gmail.com
> <mailto:gitman at gmail.com>]
> > Sent: Thursday, December 31, 2009 1:03 AM
> > To: Call of Duty server admin list.
> > Subject: [cod] A word of advice
> >
> >
> >
> > This may not be news to some, but I just first
> hand experience with it, so I
> > think I should share....
> >
> > Someone just gained access to the RCON password
> for my CoD2 server.
> > Apparently, they were able to use the client
> auto-download functionality to
> > download my server configuration, which I
> (stupidly) had named "server.cfg".
> >
> > So a word to the wise - name your server config
> in such a way that nobody
> > can guess what it is. This is a Q3 engine bug,
> so the whole series is
> > affected.
> > --
> > Geoff Goas
> > Network Engineer
> >
> > _______________________________________________
> > cod mailing list
> > cod at icculus.org <mailto:cod at icculus.org>
> > http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> Geoff Goas
> Network Engineer
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> Geoff Goas
> Network Engineer
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
More information about the cod
mailing list