[cod] A word of advice
Riku Kaura-aho
richarttos at gmail.com
Wed Jan 20 09:28:52 EST 2010
http://aluigi.org/search.php?src=sv_allowdownload
http://www.securityfocus.com/archive/1/archive/1/433349/100/0/threaded
At least there have been a bug like this and it's severe. That second news
says that you can get any file on the server which is readable by the
game-server user. This is really worth of checking if the same bug still
exist and makes all servers vulnerable. Not only the game-server files are
in danger but also the whole server if the user isn't chrooted properly.
2010/1/20 Geoff Goas <gitman at gmail.com>
> i know the difference here. the console log lines clearly stated
> (paraphrased) 'clientDownload <clientnum> : beginning "fs_game/server.cfg"'.
>
> only IWD's are contained in my HTTP redirect path.
>
>
> On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans <b.m.schiltmans at planet.nl
> > wrote:
>
>> I highly doubt that this is exploited trough the game. The way I see it:
>> - You connect to some server with http-redirect enabled, and note or
>> memorize the http location that the downloads come from.
>> - Start a browser, and go to the http-redirect-site
>> - If you're 'lucky', you can see the cfg-files, either by browsing the
>> directories, or by guessing the .cfg name(s)
>>
>> As an admin this can easily be prevented by any of the following:
>> - Don't store config-files on the http-redirect, in fact, just store files
>> there that actually need to be downloaded. Of course this only works if you
>> have an separate redirect-space.
>> - Instruct your webserver to not allow acces to thing like .cfg, .txt, etc
>> etc
>> - As an extra security/obscurity, just disable directory-browsing. Let's
>> not make anyone any smarter than they need to be ;-)
>>
>> That should do the trick. Oh and one more thing (I learned the hard way),
>> NEVER EVER use the rcon password for something like an os-user. IF someone
>> finds out the password,.....
>>
>> As a sidenote for clan-based servers. Clans often want to update their
>> usermaps all at once instead of on every map change. In this case the
>> http-redirect is not ideal, so we use rsync to do that. When the server has
>> updated maps, I send an email, and all they have to do is click some
>> desktop-icon to update their own set. We implemented is because cod5 crashes
>> a lot when it has to get an updated version of some map.
>>
>> Grtz
>> Bram
>>
>>
>> Tomé Duarte wrote:
>>
>>> I believe when you're using HTTP redirect the gameserver automatically
>>> redirects all downloads to the configured URL. However, a custom application
>>> to exploit this misconfiguration may somehow be able to download the
>>> server.cfg; this depends on the server code but it's highly probable that it
>>> redirects the request to the webserver.
>>>
>>> Does anyone have any more info on this vuln? Is it just the
>>> sv_allowdownload cvar or are there any other "requirements"? Is there a
>>> published vuln report or exploit?
>>>
>>> Cheers,
>>> Tomé Duarte
>>>
>>> Connect with me via:
>>> Twitter: http://twitter.com/tomeduarte
>>> LinkedIn: http://www.linkedin.com/in/tduarte
>>>
>>>
>>> On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <gitman at gmail.com <mailto:
>>> gitman at gmail.com>> wrote:
>>>
>>> I do... I was under the impression that sv_allowdownload had to be
>>> enabled in order for HTTP redirect to work. Is that not the case?
>>>
>>>
>>> On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master
>>> <mavrick.master at gmail.com <mailto:mavrick.master at gmail.com>> wrote:
>>>
>>> Do you have the http redirect setup?
>>>
>>> If not, may I suggest you set this up and in the off-server
>>> http location only store the mod and not your config files.
>>> This should solve your problem.
>>>
>>>
>>> Daniel 'mavrick' Lang
>>> www.mavrick.id.au <http://www.mavrick.id.au>
>>>
>>>
>>>
>>> On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas <gitman at gmail.com
>>> <mailto:gitman at gmail.com>> wrote:
>>>
>>> That's correct.
>>>
>>>
>>> On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master
>>> <mavrick.master at gmail.com
>>> <mailto:mavrick.master at gmail.com>> wrote:
>>>
>>> The client auto-download was used because I presume
>>> you are running a mod?
>>>
>>> Daniel 'mavrick' Lang
>>> www.mavrick.id.au <http://www.mavrick.id.au>
>>>
>>>
>>>
>>>
>>> On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli
>>> <hannu at shadowstyle.nl <mailto:hannu at shadowstyle.nl>>
>>>
>>> wrote:
>>>
>>> well after they got the rcon pass they could
>>> change all non write protected
>>>
>>> > But they could only download and view, not
>>> edit.correct?
>>> >
>>> >
>>> >
>>> > From: Geoff Goas [mailto:gitman at gmail.com
>>> <mailto:gitman at gmail.com>]
>>> > Sent: Thursday, December 31, 2009 1:03 AM
>>> > To: Call of Duty server admin list.
>>> > Subject: [cod] A word of advice
>>> >
>>> >
>>> >
>>> > This may not be news to some, but I just first
>>> hand experience with it, so I
>>> > think I should share....
>>> >
>>> > Someone just gained access to the RCON password
>>> for my CoD2 server.
>>> > Apparently, they were able to use the client
>>> auto-download functionality to
>>> > download my server configuration, which I
>>> (stupidly) had named "server.cfg".
>>> >
>>> > So a word to the wise - name your server config
>>> in such a way that nobody
>>> > can guess what it is. This is a Q3 engine bug,
>>> so the whole series is
>>> > affected.
>>> > --
>>> > Geoff Goas
>>> > Network Engineer
>>> >
>>> > _______________________________________________
>>> > cod mailing list
>>> > cod at icculus.org <mailto:cod at icculus.org>
>>>
>>> > http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> -- Geoff Goas
>>> Network Engineer
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> -- Geoff Goas
>>> Network Engineer
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>
>
>
> --
> Geoff Goas
> Network Engineer
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100120/c85cdd04/attachment-0001.htm>
More information about the cod
mailing list