[cod] A word of advice
B.M. Schiltmans
b.m.schiltmans at planet.nl
Wed Jan 20 11:20:22 EST 2010
Hmm, perhaps I should read first, and comment later. Sorry about that.
So the problem is not http-redirect but the direct download.
Am I correct in assuming that a modified client is needed for this
'hack'? In that case, it should be easy to fake a failed http-redirect
and force a fallback to direct-download. Reading through it, it seems
that the server.cfg is not the only worry, if every file on your server
can be read.
I see no workaround here, except maybe chroot. And even then your .cfg's
are at risk.
Only real solution would be a patch it seems.
Anyone got any info on which games are/are not vulnerable (not counting
the dinosaurs on securityfocus ;-) )?
Geoff Goas wrote:
> i know the difference here. the console log lines clearly stated
> (paraphrased) 'clientDownload <clientnum> : beginning
> "fs_game/server.cfg"'.
>
> only IWD's are contained in my HTTP redirect path.
>
> On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans
> <b.m.schiltmans at planet.nl <mailto:b.m.schiltmans at planet.nl>> wrote:
>
> I highly doubt that this is exploited trough the game. The way I
> see it:
> - You connect to some server with http-redirect enabled, and note
> or memorize the http location that the downloads come from.
> - Start a browser, and go to the http-redirect-site
> - If you're 'lucky', you can see the cfg-files, either by browsing
> the directories, or by guessing the .cfg name(s)
>
> As an admin this can easily be prevented by any of the following:
> - Don't store config-files on the http-redirect, in fact, just
> store files there that actually need to be downloaded. Of course
> this only works if you have an separate redirect-space.
> - Instruct your webserver to not allow acces to thing like .cfg,
> .txt, etc etc
> - As an extra security/obscurity, just disable directory-browsing.
> Let's not make anyone any smarter than they need to be ;-)
>
> That should do the trick. Oh and one more thing (I learned the
> hard way), NEVER EVER use the rcon password for something like an
> os-user. IF someone finds out the password,.....
>
> As a sidenote for clan-based servers. Clans often want to update
> their usermaps all at once instead of on every map change. In this
> case the http-redirect is not ideal, so we use rsync to do that.
> When the server has updated maps, I send an email, and all they
> have to do is click some desktop-icon to update their own set. We
> implemented is because cod5 crashes a lot when it has to get an
> updated version of some map.
>
> Grtz
> Bram
>
>
> Tomé Duarte wrote:
>
> I believe when you're using HTTP redirect the gameserver
> automatically redirects all downloads to the configured URL.
> However, a custom application to exploit this misconfiguration
> may somehow be able to download the server.cfg; this depends
> on the server code but it's highly probable that it redirects
> the request to the webserver.
>
> Does anyone have any more info on this vuln? Is it just the
> sv_allowdownload cvar or are there any other "requirements"?
> Is there a published vuln report or exploit?
>
> Cheers,
> Tomé Duarte
>
> Connect with me via:
> Twitter: http://twitter.com/tomeduarte
> LinkedIn: http://www.linkedin.com/in/tduarte
>
>
> On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <gitman at gmail.com
> <mailto:gitman at gmail.com> <mailto:gitman at gmail.com
> <mailto:gitman at gmail.com>>> wrote:
>
> I do... I was under the impression that sv_allowdownload
> had to be
> enabled in order for HTTP redirect to work. Is that not the
> case?
>
>
> On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master
> <mavrick.master at gmail.com <mailto:mavrick.master at gmail.com>
> <mailto:mavrick.master at gmail.com
> <mailto:mavrick.master at gmail.com>>> wrote:
>
> Do you have the http redirect setup?
>
> If not, may I suggest you set this up and in the off-server
> http location only store the mod and not your config files.
> This should solve your problem.
>
>
> Daniel 'mavrick' Lang
> www.mavrick.id.au <http://www.mavrick.id.au>
> <http://www.mavrick.id.au>
>
>
>
> On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas
> <gitman at gmail.com <mailto:gitman at gmail.com>
> <mailto:gitman at gmail.com <mailto:gitman at gmail.com>>> wrote:
>
> That's correct.
>
>
> On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master
> <mavrick.master at gmail.com
> <mailto:mavrick.master at gmail.com>
> <mailto:mavrick.master at gmail.com
> <mailto:mavrick.master at gmail.com>>> wrote:
>
> The client auto-download was used because I presume
> you are running a mod?
>
> Daniel 'mavrick' Lang
> www.mavrick.id.au <http://www.mavrick.id.au>
> <http://www.mavrick.id.au>
>
>
>
>
> On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli
> <hannu at shadowstyle.nl
> <mailto:hannu at shadowstyle.nl> <mailto:hannu at shadowstyle.nl
> <mailto:hannu at shadowstyle.nl>>>
>
> wrote:
>
> well after they got the rcon pass they could
> change all non write protected
>
> > But they could only download and view, not
> edit.correct?
> >
> >
> >
> > From: Geoff Goas [mailto:gitman at gmail.com
> <mailto:gitman at gmail.com>
> <mailto:gitman at gmail.com
> <mailto:gitman at gmail.com>>]
> > Sent: Thursday, December 31, 2009 1:03 AM
> > To: Call of Duty server admin list.
> > Subject: [cod] A word of advice
> >
> >
> >
> > This may not be news to some, but I just
> first
> hand experience with it, so I
> > think I should share....
> >
> > Someone just gained access to the RCON
> password
> for my CoD2 server.
> > Apparently, they were able to use the client
> auto-download functionality to
> > download my server configuration, which I
> (stupidly) had named "server.cfg".
> >
> > So a word to the wise - name your server
> config
> in such a way that nobody
> > can guess what it is. This is a Q3 engine
> bug,
> so the whole series is
> > affected.
> > --
> > Geoff Goas
> > Network Engineer
> >
> >
> _______________________________________________
> > cod mailing list
> > cod at icculus.org <mailto:cod at icculus.org>
> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>
> > http://icculus.org/mailman/listinfo/cod
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> -- Geoff Goas
> Network Engineer
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>
> http://icculus.org/mailman/listinfo/cod
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> -- Geoff Goas
> Network Engineer
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>
> http://icculus.org/mailman/listinfo/cod
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org <mailto:cod at icculus.org>
> http://icculus.org/mailman/listinfo/cod
>
>
>
>
> --
> Geoff Goas
> Network Engineer
> ------------------------------------------------------------------------
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
More information about the cod
mailing list