[cod] A word of advice
Geoff Goas
gitman at gmail.com
Wed Jan 20 13:33:59 EST 2010
what's worse is that you can't change the name of your console log. its
always console_server_mp.log, and it always contains a cvar dump, which
always contains the rcon password.
On Wed, Jan 20, 2010 at 12:00 PM, Riku Kaura-aho <richarttos at gmail.com>wrote:
> Server cfgs can be renamed randomly so they are easy to protect assuming
> that you can't get file list. System files are whole different thing.
> Chrooting works but it ain't acceptable to have a bug like this coz it's
> kinda likely that if someone uses this hole it won't take long to figure out
> some weak points just by guessing.
>
> 2010/1/20 B.M. Schiltmans <b.m.schiltmans at planet.nl>
>
> Hmm, perhaps I should read first, and comment later. Sorry about that.
>> So the problem is not http-redirect but the direct download.
>> Am I correct in assuming that a modified client is needed for this 'hack'?
>> In that case, it should be easy to fake a failed http-redirect and force a
>> fallback to direct-download. Reading through it, it seems that the
>> server.cfg is not the only worry, if every file on your server can be read.
>> I see no workaround here, except maybe chroot. And even then your .cfg's
>> are at risk.
>> Only real solution would be a patch it seems.
>> Anyone got any info on which games are/are not vulnerable (not counting
>> the dinosaurs on securityfocus ;-) )?
>>
>>
>>
>> Geoff Goas wrote:
>>
>>> i know the difference here. the console log lines clearly stated
>>> (paraphrased) 'clientDownload <clientnum> : beginning "fs_game/server.cfg"'.
>>>
>>> only IWD's are contained in my HTTP redirect path.
>>>
>>> On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans <
>>> b.m.schiltmans at planet.nl <mailto:b.m.schiltmans at planet.nl>> wrote:
>>>
>>> I highly doubt that this is exploited trough the game. The way I
>>> see it:
>>> - You connect to some server with http-redirect enabled, and note
>>> or memorize the http location that the downloads come from.
>>> - Start a browser, and go to the http-redirect-site
>>> - If you're 'lucky', you can see the cfg-files, either by browsing
>>> the directories, or by guessing the .cfg name(s)
>>>
>>> As an admin this can easily be prevented by any of the following:
>>> - Don't store config-files on the http-redirect, in fact, just
>>> store files there that actually need to be downloaded. Of course
>>> this only works if you have an separate redirect-space.
>>> - Instruct your webserver to not allow acces to thing like .cfg,
>>> .txt, etc etc
>>> - As an extra security/obscurity, just disable directory-browsing.
>>> Let's not make anyone any smarter than they need to be ;-)
>>>
>>> That should do the trick. Oh and one more thing (I learned the
>>> hard way), NEVER EVER use the rcon password for something like an
>>> os-user. IF someone finds out the password,.....
>>>
>>> As a sidenote for clan-based servers. Clans often want to update
>>> their usermaps all at once instead of on every map change. In this
>>> case the http-redirect is not ideal, so we use rsync to do that.
>>> When the server has updated maps, I send an email, and all they
>>> have to do is click some desktop-icon to update their own set. We
>>> implemented is because cod5 crashes a lot when it has to get an
>>> updated version of some map.
>>>
>>> Grtz
>>> Bram
>>>
>>>
>>> Tomé Duarte wrote:
>>>
>>> I believe when you're using HTTP redirect the gameserver
>>> automatically redirects all downloads to the configured URL.
>>> However, a custom application to exploit this misconfiguration
>>> may somehow be able to download the server.cfg; this depends
>>> on the server code but it's highly probable that it redirects
>>> the request to the webserver.
>>>
>>> Does anyone have any more info on this vuln? Is it just the
>>> sv_allowdownload cvar or are there any other "requirements"?
>>> Is there a published vuln report or exploit?
>>>
>>> Cheers,
>>> Tomé Duarte
>>>
>>> Connect with me via:
>>> Twitter: http://twitter.com/tomeduarte
>>> LinkedIn: http://www.linkedin.com/in/tduarte
>>>
>>>
>>> On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <gitman at gmail.com
>>> <mailto:gitman at gmail.com> <mailto:gitman at gmail.com
>>>
>>> <mailto:gitman at gmail.com>>> wrote:
>>>
>>> I do... I was under the impression that sv_allowdownload
>>> had to be
>>> enabled in order for HTTP redirect to work. Is that not the
>>> case?
>>>
>>>
>>> On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master
>>> <mavrick.master at gmail.com <mailto:mavrick.master at gmail.com>
>>> <mailto:mavrick.master at gmail.com
>>> <mailto:mavrick.master at gmail.com>>> wrote:
>>>
>>> Do you have the http redirect setup?
>>>
>>> If not, may I suggest you set this up and in the off-server
>>> http location only store the mod and not your config files.
>>> This should solve your problem.
>>>
>>>
>>> Daniel 'mavrick' Lang
>>> www.mavrick.id.au <http://www.mavrick.id.au>
>>> <http://www.mavrick.id.au>
>>>
>>>
>>>
>>> On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas
>>> <gitman at gmail.com <mailto:gitman at gmail.com>
>>> <mailto:gitman at gmail.com <mailto:gitman at gmail.com>>>
>>> wrote:
>>>
>>> That's correct.
>>>
>>>
>>> On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master
>>> <mavrick.master at gmail.com
>>> <mailto:mavrick.master at gmail.com>
>>> <mailto:mavrick.master at gmail.com
>>> <mailto:mavrick.master at gmail.com>>> wrote:
>>>
>>> The client auto-download was used because I presume
>>> you are running a mod?
>>>
>>> Daniel 'mavrick' Lang
>>> www.mavrick.id.au <http://www.mavrick.id.au>
>>> <http://www.mavrick.id.au>
>>>
>>>
>>>
>>>
>>> On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli
>>> <hannu at shadowstyle.nl
>>> <mailto:hannu at shadowstyle.nl> <mailto:hannu at shadowstyle.nl
>>>
>>> <mailto:hannu at shadowstyle.nl>>>
>>>
>>> wrote:
>>>
>>> well after they got the rcon pass they could
>>> change all non write protected
>>>
>>> > But they could only download and view, not
>>> edit.correct?
>>> >
>>> >
>>> >
>>> > From: Geoff Goas [mailto:gitman at gmail.com
>>> <mailto:gitman at gmail.com>
>>> <mailto:gitman at gmail.com
>>> <mailto:gitman at gmail.com>>]
>>> > Sent: Thursday, December 31, 2009 1:03 AM
>>> > To: Call of Duty server admin list.
>>> > Subject: [cod] A word of advice
>>> >
>>> >
>>> >
>>> > This may not be news to some, but I just
>>> first
>>> hand experience with it, so I
>>> > think I should share....
>>> >
>>> > Someone just gained access to the RCON
>>> password
>>> for my CoD2 server.
>>> > Apparently, they were able to use the client
>>> auto-download functionality to
>>> > download my server configuration, which I
>>> (stupidly) had named "server.cfg".
>>> >
>>> > So a word to the wise - name your server
>>> config
>>> in such a way that nobody
>>> > can guess what it is. This is a Q3 engine
>>> bug,
>>> so the whole series is
>>> > affected.
>>> > --
>>> > Geoff Goas
>>> > Network Engineer
>>> >
>>> >
>>> _______________________________________________
>>> > cod mailing list
>>> > cod at icculus.org <mailto:cod at icculus.org>
>>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>>
>>>
>>> > http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> -- Geoff Goas
>>> Network Engineer
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> -- Geoff Goas
>>> Network Engineer
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>>
>>>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org <mailto:cod at icculus.org>
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>>
>>>
>>> --
>>> Geoff Goas
>>> Network Engineer
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>
--
Geoff Goas
Network Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100120/126e0eef/attachment-0001.htm>
More information about the cod
mailing list