[cod] Cfg download hacking

Mathis Klooß admin at gunah.eu
Sun Oct 31 14:51:19 EDT 2010 

Write Only files cannot Download...

Am 29.10.2010 17:52, schrieb Mavrick:
> In Linux why not set certain permissions on *.log files so only say 
> the user 'screen' running the program screen can write to these files. 
> Presumably screen is running the cod4 bin files so it should have 
> access to that file, so just allow write access and not read... Would 
> that disable the program from being able to download the file via this 
> exploit?
>
>
> On 29/10/2010 10:30 PM, Mathis Klooß wrote:
>> Hi There...
>>
>> here is an "Very Dirty" "fix", based on PunkBuster.
>>
>> // Dirty fix for q3dirtrav based on PunkBuster!
>> pb_sv_md5toolempty
>> pb_sv_md5toolfreq 10
>> pb_sv_md5tool a "" v "abcd.txt" NOT_FOUND
>> pb_sv_md5tool a "" v "abcd.txt.txt" NOT_FOUND
>> pb_sv_md5tool a "" v "tmp.txt" NOT_FOUND
>> pb_sv_md5tool a "" v "q3dirtrav.exe" NOT_FOUND
>> pb_sv_md5tool a "" v "forfopen.exe" NOT_FOUND
>> pb_sv_md5toollist
>>
>> pb_sv_CvarFreq 2
>> pb_sv_cvar r_fullscreen IN 1
>> pb_sv_cvar cl_wwwdownload IN 1
>> // EOF
>>
>> so i have tested these Exploit and it works 100%, only with "set 
>> sv_allowdownload 1"
>> If these host has use wwwdownload, the Client can disable these 
>> settings with a "cvar"...
>>
>> So Ranked Server can disable Download... but for Mod Servers, were 
>> using these PB Settings... But it is recommend ur change the logfile name
>> These Exploit works on CoD, CoD:UO, COD2, COD4!
>>
>> greetz
>> Gunah
>>
>> Am 20.09.2010 12:27, schrieb Marco Padovan:
>>> thanks, I missed this one...
>>>
>>> gotta disable logging too....
>>>
>>> Il 15/09/2010 23:59, Miha Lepej ha scritto:
>>>> You also need to be aware that if the server has console logging
>>>> enabled and produces a console_mp.log or console_mp_server.log in the
>>>> main folder that can also be downloaded and contains a lot of
>>>> information of set variables including rcon_password (tested cod2).
>>>>
>>>> As far as I know the file can't be renamed and includes the password
>>>> even if it is set trough command line. I believe this is the command
>>>> to disable the console log:
>>>>
>>>> set logfile 0
>>>>
>>>> (not 100%, can someone confirm?)
>>>>
>>>> --Miha
>>>>
>>>> On Wed, Sep 15, 2010 at 19:49, Morpheus<morpheus at clantoc.org>  wrote:
>>>>>   If you have full control on the server (startup, environment--say, host it
>>>>> on a dedicated server), you should do that by passing a set rcon_password to
>>>>> the server console from the startup script (after the server is up). So no
>>>>> need to manually set it each time.
>>>>>
>>>>> But it can be tricky to do that, depending on how you start the server (and
>>>>> what OS you run on). Under linux, with server started with SCREEN, it can
>>>>> easily be done (as you can send commands into the screen taht hosts the
>>>>> console). But with other methods, I don't know...
>>>>>
>>>>> Le 15/09/2010 18:11, Marco Padovan a écrit :
>>>>>> this works... but is a pain in the ass... as you have to issue the set
>>>>>> rcon command EVERYTIME you start it :(
>>>>>>
>>>>>> On Wed, Sep 15, 2010 at 10:29 AM, Mavrick<mavrick.master at gmail.com>
>>>>>>   wrote:
>>>>>>> Probably a silly question but can u set the rcon password in the console
>>>>>>> query string?
>>>>>>>
>>>>>>> If so, why not database the password then just parse it when the server
>>>>>>> loads? This way anyone can use the exploit if they want but wont get the
>>>>>>> password?
>>>>>>>
>>>>>>> On 15/09/2010 5:45 PM, Nosjp Nosjp wrote:
>>>>>>>
>>>>>>> If you set sv_allowdownload "0" - disable all downloads :  built-in
>>>>>>> download
>>>>>>> + HTTP redirect download ( it doesn't matter value of sv_wwwDownload)
>>>>>>>
>>>>>>> Another solutions: disable console (set sv_disableClientConsole "1") +
>>>>>>> random .cfg name
>>>>>>> in case of rcon stealer a player must be connected to server, then player
>>>>>>> trying to download manually within game console:
>>>>>>>   /download server.cfg   or /download main/server.cfg  guessing server
>>>>>>> config
>>>>>>>
>>>>>>> Take a look here for more details/solutions:
>>>>>>>
>>>>>>> http://game-violations.ggl.com/index.php?page=Thread&postID=99870#post99870
>>>>>>>
>>>>>>> On Tue, Sep 14, 2010 at 9:48 PM, Morpheus<morpheus at clantoc.org>    wrote:
>>>>>>>> I have one question : I have these dvar in my server cfg
>>>>>>>>
>>>>>>>> set sv_allowdownload "1"
>>>>>>>> seta sv_wwwDownload "1"
>>>>>>>> seta sv_wwwBaseURL"http://whaterver_you_wnat.com/cod"
>>>>>>>> seta sv_wwwDlDisconnected "1"
>>>>>>>>
>>>>>>>> If you put the allowdownload to 0, does it disable the www capability ?
>>>>>>>> if
>>>>>>>> we could restrict the download part to http downloading, things could be
>>>>>>>> easier to cope with.
>>>>>>>>
>>>>>>>> Le 14/09/2010 20:44, Nosjp Nosjp a écrit :
>>>>>>>>
>>>>>>>> @Marco:
>>>>>>>>
>>>>>>>> If you have a server
>>>>>>>> - without custom maps/mods/pam ->    disable downloads:  seta
>>>>>>>> sv_allowDownload "0"
>>>>>>>> - with custom maps/mods/pam ->     disable game console (set
>>>>>>>> sv_disableClientConsole "1")  + random .cfg name
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Sep 14, 2010 at 9:37 PM, Sheepa<sheepa at sheepa.org>    wrote:
>>>>>>>>> Is there even any working POC for this?
>>>>>>>>>
>>>>>>>>> --------------------------------------------------
>>>>>>>>> From: "Marco Padovan"<evolutioncrazy at gmail.com>
>>>>>>>>> Sent: Tuesday, September 14, 2010 8:14 PM
>>>>>>>>> To: "Call of Duty server admin list."<cod at icculus.org>
>>>>>>>>> Subject: Re: [cod] Cfg download hacking
>>>>>>>>>
>>>>>>>>>> I see...
>>>>>>>>>>
>>>>>>>>>> will take the "random cfg filename" path as all other workarounds are
>>>>>>>>>> not acceptable for my use :(
>>>>>>>>>>
>>>>>>>>>> On Tue, Sep 14, 2010 at 8:01 PM, Morpheus<morpheus at clantoc.org>
>>>>>>>>>>   wrote:
>>>>>>>>>>>   I think iptables is too low-level to deal with such specific hack
>>>>>>>>>>> attempts.
>>>>>>>>>>> At least you can use it to ban IP addresses you catch... It's sad it
>>>>>>>>>>> has not
>>>>>>>>>>> been fixed since discovery, with all the games that are using the
>>>>>>>>>>> codebase...
>>>>>>>>>>>
>>>>>>>>>>> Le 14/09/2010 19:32, Marco Padovan a écrit :
>>>>>>>>>>>> I'm aware of the exploits... was looking for some suggestion on how
>>>>>>>>>>>> to
>>>>>>>>>>>> fix them... even via iptables eventually...
>>>>>>>>>>>>
>>>>>>>>>>>> On Tue, Sep 14, 2010 at 6:56 PM, James Landi<jim at landi.net>
>>>>>>>>>>>>   wrote:
>>>>>>>>>>>>>   The exploit I just posted about could be an older version or not
>>>>>>>>>>>>> the
>>>>>>>>>>>>> same
>>>>>>>>>>>>> as described in this mail list thread.
>>>>>>>>>>>>>
>>>>>>>>>>>>> using the second link should give you a good list of quake based
>>>>>>>>>>>>> exploits
>>>>>>>>>>>>> you may want to watch for.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Sorry for the wrong ling
>>>>>>>>>>>>>
>>>>>>>>>>>>> Jim Landi
>>>>>>>>>>>>> Rudedog
>>>>>>>>>>>>> FPSadmin.com
>>>>>>>>>>>>> Microsoft MVP, Games for Windows | Twitter@ therealrudedog
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 9/14/10 12:25 PM, Morpheus wrote:
>>>>>>>>>>>>>> We're talking about the built-in download system, not the http
>>>>>>>>>>>>>> redirect
>>>>>>>>>>>>>> one, which you can control with symlinks and htaccess features.
>>>>>>>>>>>>>> It's
>>>>>>>>>>>>>> about a
>>>>>>>>>>>>>> security hole that virtually exists in all q3-based games (at
>>>>>>>>>>>>>> least
>>>>>>>>>>>>>> for
>>>>>>>>>>>>>> the
>>>>>>>>>>>>>> net code).
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Le 14/09/2010 18:21, Mavrick a écrit :
>>>>>>>>>>>>>>> Anyone tried symbolic links?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On 14/09/2010 3:11 AM, Nosjp Nosjp wrote:
>>>>>>>>>>>>>>>> The only one solution:  set sv_allowDownload "0"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Mon, Sep 13, 2010 at 7:45 PM, Marco
>>>>>>>>>>>>>>>> Padovan<evolutioncrazy at gmail.com
>>>>>>>>>>>>>>>> <mailto:evolutioncrazy at gmail.com>>      wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>    We are having major hack attempts that consist in people
>>>>>>>>>>>>>>>>    downloading the cfg files....  currently we had to use random
>>>>>>>>>>>>>>>>    file names...
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>    is there any solid work around?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>    _______________________________________________
>>>>>>>>>>>>>>>>    cod mailing list
>>>>>>>>>>>>>>>>    cod at icculus.org<mailto:cod at icculus.org>
>>>>>>>>>>>>>>>>    http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> cod mailing list
>>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> cod mailing list
>>>>>>>>>>> cod at icculus.org
>>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> cod mailing list
>>>>>>>>>> cod at icculus.org
>>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>> _______________________________________________
>>>>>>>>> cod mailing list
>>>>>>>>> cod at icculus.org
>>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>> _______________________________________________
>>>>>>>> cod mailing list
>>>>>>>> cod at icculus.org
>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> cod mailing list
>>>>>>>> cod at icculus.org
>>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cod mailing list
>>>>>>> cod at icculus.org
>>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> cod mailing list
>>>>>> cod at icculus.org
>>>>>> http://icculus.org/mailman/listinfo/cod
>>>>> _______________________________________________
>>>>> cod mailing list
>>>>> cod at icculus.org
>>>>> http://icculus.org/mailman/listinfo/cod
>>>>>
>>>> _______________________________________________
>>>> cod mailing list
>>>> cod at icculus.org
>>>> http://icculus.org/mailman/listinfo/cod
>>>
>>>
>>> _______________________________________________
>>> cod mailing list
>>> cod at icculus.org
>>> http://icculus.org/mailman/listinfo/cod
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20101031/f8d5366b/attachment-0001.htm>

More information about the cod mailing list