[cod] Cfg download hacking

Geoff Goas gitman at gmail.com
Mon Sep 13 18:37:16 EDT 2010 

I had this very same problem and posted to this list about it not too long
ago. Its all Q3-based games.

Make sure your configs are conspicuously named, and if they do happen to be
available in the same path, that you put some sort of rewrite rule in to
deny access.

On Mon, Sep 13, 2010 at 6:04 PM, saimon <saimon at optonline.net> wrote:

>  Having spent much time in a Soldier of Fortune clan I can tell you that
> yes there is a script that can be run against a server with downloads turned
> on that will automatically go after the [in Sof it is the Sof2mp.cfg] config
> file that has the rcon password.  In my experience acquiring that password
> was always the goal the attacker [script kiddie] would then proceed to kick
> out/ban all clan members and change the name of the server the idiots that
> went around doing this really ruined the game for a large amount of the
> community.  I can't say for sure or not if the same script works with all
> Quake based game it could well be from the same source I was told that
> leader of the Sof2 clan  Heretic,  its leard  Heretic Death was a
> distributor of this script/tool for a price.  You may also want to open a
> console while in the game and type download and see if any directory
> structures you and hit.
>
>
> On 9/13/2010 3:33 PM, David at Game-Serve wrote:
>
> On 13/09/10 20:16, Morpheus wrote:
>
> Yes, but it is only relevant with http downloading (I'm simlinking the
> folder too, but with a good htaccess restrictions, and stricts permission on
> the files--only readable by the owner). Is it possible to use the client to
> try downloading the cfg through the built-in protocol ? That could be the
> major hack, and it can potentially touch every quake-based game, at least
> those using the same net codebase (cod2 is one of them).
>
> But I'm pretty sure it's not the case, and http is the way to follow, and
> to harden...
>
>
> You mean like the one that already exists on the quake3 engine based games?
> like mohaa which will allow you to download the config files on servers that
> dont have downloads disabled (set sv_allowDownload "0"), whats worse is that
> mohaa doesn't even use the server-client download functions of the quake3
> engine but the code must still be in there somewhere as the exploit works
>
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.orghttp://icculus.org/mailman/listinfo/cod
>
>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
>


-- 
Geoff Goas
Network Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100913/fe7c74fe/attachment.htm>

More information about the cod mailing list