[cod] Cfg download hacking
Mavrick
mavrick.master at gmail.com
Fri Oct 29 11:52:18 EDT 2010
In Linux why not set certain permissions on *.log files so only say the
user 'screen' running the program screen can write to these files.
Presumably screen is running the cod4 bin files so it should have access
to that file, so just allow write access and not read... Would that
disable the program from being able to download the file via this exploit?
On 29/10/2010 10:30 PM, Mathis Klooß wrote:
> Hi There...
>
> here is an "Very Dirty" "fix", based on PunkBuster.
>
> // Dirty fix for q3dirtrav based on PunkBuster!
> pb_sv_md5toolempty
> pb_sv_md5toolfreq 10
> pb_sv_md5tool a "" v "abcd.txt" NOT_FOUND
> pb_sv_md5tool a "" v "abcd.txt.txt" NOT_FOUND
> pb_sv_md5tool a "" v "tmp.txt" NOT_FOUND
> pb_sv_md5tool a "" v "q3dirtrav.exe" NOT_FOUND
> pb_sv_md5tool a "" v "forfopen.exe" NOT_FOUND
> pb_sv_md5toollist
>
> pb_sv_CvarFreq 2
> pb_sv_cvar r_fullscreen IN 1
> pb_sv_cvar cl_wwwdownload IN 1
> // EOF
>
> so i have tested these Exploit and it works 100%, only with "set
> sv_allowdownload 1"
> If these host has use wwwdownload, the Client can disable these
> settings with a "cvar"...
>
> So Ranked Server can disable Download... but for Mod Servers, were
> using these PB Settings... But it is recommend ur change the logfile name
> These Exploit works on CoD, CoD:UO, COD2, COD4!
>
> greetz
> Gunah
>
> Am 20.09.2010 12:27, schrieb Marco Padovan:
>> thanks, I missed this one...
>>
>> gotta disable logging too....
>>
>> Il 15/09/2010 23:59, Miha Lepej ha scritto:
>>> You also need to be aware that if the server has console logging
>>> enabled and produces a console_mp.log or console_mp_server.log in the
>>> main folder that can also be downloaded and contains a lot of
>>> information of set variables including rcon_password (tested cod2).
>>>
>>> As far as I know the file can't be renamed and includes the password
>>> even if it is set trough command line. I believe this is the command
>>> to disable the console log:
>>>
>>> set logfile 0
>>>
>>> (not 100%, can someone confirm?)
>>>
>>> --Miha
>>>
>>> On Wed, Sep 15, 2010 at 19:49, Morpheus<morpheus at clantoc.org> wrote:
>>>> If you have full control on the server (startup, environment--say, host it
>>>> on a dedicated server), you should do that by passing a set rcon_password to
>>>> the server console from the startup script (after the server is up). So no
>>>> need to manually set it each time.
>>>>
>>>> But it can be tricky to do that, depending on how you start the server (and
>>>> what OS you run on). Under linux, with server started with SCREEN, it can
>>>> easily be done (as you can send commands into the screen taht hosts the
>>>> console). But with other methods, I don't know...
>>>>
>>>> Le 15/09/2010 18:11, Marco Padovan a écrit :
>>>>> this works... but is a pain in the ass... as you have to issue the set
>>>>> rcon command EVERYTIME you start it :(
>>>>>
>>>>> On Wed, Sep 15, 2010 at 10:29 AM, Mavrick<mavrick.master at gmail.com>
>>>>> wrote:
>>>>>> Probably a silly question but can u set the rcon password in the console
>>>>>> query string?
>>>>>>
>>>>>> If so, why not database the password then just parse it when the server
>>>>>> loads? This way anyone can use the exploit if they want but wont get the
>>>>>> password?
>>>>>>
>>>>>> On 15/09/2010 5:45 PM, Nosjp Nosjp wrote:
>>>>>>
>>>>>> If you set sv_allowdownload "0" - disable all downloads : built-in
>>>>>> download
>>>>>> + HTTP redirect download ( it doesn't matter value of sv_wwwDownload)
>>>>>>
>>>>>> Another solutions: disable console (set sv_disableClientConsole "1") +
>>>>>> random .cfg name
>>>>>> in case of rcon stealer a player must be connected to server, then player
>>>>>> trying to download manually within game console:
>>>>>> /download server.cfg or /download main/server.cfg guessing server
>>>>>> config
>>>>>>
>>>>>> Take a look here for more details/solutions:
>>>>>>
>>>>>> http://game-violations.ggl.com/index.php?page=Thread&postID=99870#post99870
>>>>>>
>>>>>> On Tue, Sep 14, 2010 at 9:48 PM, Morpheus<morpheus at clantoc.org> wrote:
>>>>>>> I have one question : I have these dvar in my server cfg
>>>>>>>
>>>>>>> set sv_allowdownload "1"
>>>>>>> seta sv_wwwDownload "1"
>>>>>>> seta sv_wwwBaseURL"http://whaterver_you_wnat.com/cod"
>>>>>>> seta sv_wwwDlDisconnected "1"
>>>>>>>
>>>>>>> If you put the allowdownload to 0, does it disable the www capability ?
>>>>>>> if
>>>>>>> we could restrict the download part to http downloading, things could be
>>>>>>> easier to cope with.
>>>>>>>
>>>>>>> Le 14/09/2010 20:44, Nosjp Nosjp a écrit :
>>>>>>>
>>>>>>> @Marco:
>>>>>>>
>>>>>>> If you have a server
>>>>>>> - without custom maps/mods/pam -> disable downloads: seta
>>>>>>> sv_allowDownload "0"
>>>>>>> - with custom maps/mods/pam -> disable game console (set
>>>>>>> sv_disableClientConsole "1") + random .cfg name
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Sep 14, 2010 at 9:37 PM, Sheepa<sheepa at sheepa.org> wrote:
>>>>>>>> Is there even any working POC for this?
>>>>>>>>
>>>>>>>> --------------------------------------------------
>>>>>>>> From: "Marco Padovan"<evolutioncrazy at gmail.com>
>>>>>>>> Sent: Tuesday, September 14, 2010 8:14 PM
>>>>>>>> To: "Call of Duty server admin list."<cod at icculus.org>
>>>>>>>> Subject: Re: [cod] Cfg download hacking
>>>>>>>>
>>>>>>>>> I see...
>>>>>>>>>
>>>>>>>>> will take the "random cfg filename" path as all other workarounds are
>>>>>>>>> not acceptable for my use :(
>>>>>>>>>
>>>>>>>>> On Tue, Sep 14, 2010 at 8:01 PM, Morpheus<morpheus at clantoc.org>
>>>>>>>>> wrote:
>>>>>>>>>> I think iptables is too low-level to deal with such specific hack
>>>>>>>>>> attempts.
>>>>>>>>>> At least you can use it to ban IP addresses you catch... It's sad it
>>>>>>>>>> has not
>>>>>>>>>> been fixed since discovery, with all the games that are using the
>>>>>>>>>> codebase...
>>>>>>>>>>
>>>>>>>>>> Le 14/09/2010 19:32, Marco Padovan a écrit :
>>>>>>>>>>> I'm aware of the exploits... was looking for some suggestion on how
>>>>>>>>>>> to
>>>>>>>>>>> fix them... even via iptables eventually...
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Sep 14, 2010 at 6:56 PM, James Landi<jim at landi.net>
>>>>>>>>>>> wrote:
>>>>>>>>>>>> The exploit I just posted about could be an older version or not
>>>>>>>>>>>> the
>>>>>>>>>>>> same
>>>>>>>>>>>> as described in this mail list thread.
>>>>>>>>>>>>
>>>>>>>>>>>> using the second link should give you a good list of quake based
>>>>>>>>>>>> exploits
>>>>>>>>>>>> you may want to watch for.
>>>>>>>>>>>>
>>>>>>>>>>>> Sorry for the wrong ling
>>>>>>>>>>>>
>>>>>>>>>>>> Jim Landi
>>>>>>>>>>>> Rudedog
>>>>>>>>>>>> FPSadmin.com
>>>>>>>>>>>> Microsoft MVP, Games for Windows | Twitter@ therealrudedog
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 9/14/10 12:25 PM, Morpheus wrote:
>>>>>>>>>>>>> We're talking about the built-in download system, not the http
>>>>>>>>>>>>> redirect
>>>>>>>>>>>>> one, which you can control with symlinks and htaccess features.
>>>>>>>>>>>>> It's
>>>>>>>>>>>>> about a
>>>>>>>>>>>>> security hole that virtually exists in all q3-based games (at
>>>>>>>>>>>>> least
>>>>>>>>>>>>> for
>>>>>>>>>>>>> the
>>>>>>>>>>>>> net code).
>>>>>>>>>>>>>
>>>>>>>>>>>>> Le 14/09/2010 18:21, Mavrick a écrit :
>>>>>>>>>>>>>> Anyone tried symbolic links?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 14/09/2010 3:11 AM, Nosjp Nosjp wrote:
>>>>>>>>>>>>>>> The only one solution: set sv_allowDownload "0"
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Mon, Sep 13, 2010 at 7:45 PM, Marco
>>>>>>>>>>>>>>> Padovan<evolutioncrazy at gmail.com
>>>>>>>>>>>>>>> <mailto:evolutioncrazy at gmail.com>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> We are having major hack attempts that consist in people
>>>>>>>>>>>>>>> downloading the cfg files.... currently we had to use random
>>>>>>>>>>>>>>> file names...
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> is there any solid work around?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>>>> cod at icculus.org<mailto:cod at icculus.org>
>>>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> cod mailing list
>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>> _______________________________________________
>>>>>>>>>> cod mailing list
>>>>>>>>>> cod at icculus.org
>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> cod mailing list
>>>>>>>>> cod at icculus.org
>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>> _______________________________________________
>>>>>>>> cod mailing list
>>>>>>>> cod at icculus.org
>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org
>>>>> http://icculus.org/mailman/listinfo/cod
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20101030/e1681bb7/attachment-0001.htm>
More information about the cod
mailing list