[cod] A word of advice

Geoff Goas gitman at gmail.com
Wed Jan 20 08:49:47 EST 2010 

i know the difference here. the console log lines clearly stated
(paraphrased) 'clientDownload <clientnum> : beginning "fs_game/server.cfg"'.

only IWD's are contained in my HTTP redirect path.

On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans
<b.m.schiltmans at planet.nl>wrote:

> I highly doubt that this is exploited trough the game. The way I see it:
> - You connect to some server with http-redirect enabled, and note or
> memorize the http location that the downloads come from.
> - Start a browser, and go to the http-redirect-site
> - If you're 'lucky', you can see the cfg-files, either by browsing the
> directories, or by guessing the .cfg name(s)
>
> As an admin this can easily be prevented by any of the following:
> - Don't store config-files on the http-redirect, in fact, just store files
> there that actually need to be downloaded. Of course this only works if you
> have an separate redirect-space.
> - Instruct your webserver to not allow acces to thing like .cfg, .txt, etc
> etc
> - As an extra security/obscurity, just disable directory-browsing. Let's
> not make anyone any smarter than they need to be ;-)
>
> That should do the trick. Oh and one more thing (I learned the hard way),
> NEVER EVER use the rcon password for something like an os-user. IF someone
> finds out the password,.....
>
> As a sidenote for clan-based servers. Clans often want to update their
> usermaps all at once instead of on every map change. In this case the
> http-redirect is not ideal, so we use rsync to do that. When the server has
> updated maps, I send an email, and all they have to do is click some
> desktop-icon to update their own set. We implemented is because cod5 crashes
> a lot when it has to get an updated version of some map.
>
> Grtz
> Bram
>
>
> Tomé Duarte wrote:
>
>> I believe when you're using HTTP redirect the gameserver automatically
>> redirects all downloads to the configured URL. However, a custom application
>> to exploit this misconfiguration may somehow be able to download the
>> server.cfg; this depends on the server code but it's highly probable that it
>> redirects the request to the webserver.
>>
>> Does anyone have any more info on this vuln? Is it just the
>> sv_allowdownload cvar or are there any other "requirements"? Is there a
>> published vuln report or exploit?
>>
>> Cheers,
>> Tomé Duarte
>>
>> Connect with me via:
>> Twitter: http://twitter.com/tomeduarte
>> LinkedIn: http://www.linkedin.com/in/tduarte
>>
>>
>> On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <gitman at gmail.com <mailto:
>> gitman at gmail.com>> wrote:
>>
>>    I do... I was under the impression that sv_allowdownload had to be
>>    enabled in order for HTTP redirect to work. Is that not the case?
>>
>>
>>    On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master
>>    <mavrick.master at gmail.com <mailto:mavrick.master at gmail.com>> wrote:
>>
>>        Do you have the http redirect setup?
>>
>>        If not, may I suggest you set this up and in the off-server
>>        http location only store the mod and not your config files.
>>        This should solve your problem.
>>
>>
>>        Daniel 'mavrick' Lang
>>        www.mavrick.id.au <http://www.mavrick.id.au>
>>
>>
>>
>>        On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas <gitman at gmail.com
>>        <mailto:gitman at gmail.com>> wrote:
>>
>>            That's correct.
>>
>>
>>            On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master
>>            <mavrick.master at gmail.com
>>            <mailto:mavrick.master at gmail.com>> wrote:
>>
>>                The client auto-download was used because I presume
>>                you are running a mod?
>>
>>                Daniel 'mavrick' Lang
>>                www.mavrick.id.au <http://www.mavrick.id.au>
>>
>>
>>
>>
>>                On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli
>>                <hannu at shadowstyle.nl <mailto:hannu at shadowstyle.nl>>
>>
>>                wrote:
>>
>>                    well after they got the rcon pass they could
>>                    change all non write protected
>>
>>                    > But they could only download and view, not
>>                    edit.correct?
>>                    >
>>                    >
>>                    >
>>                    > From: Geoff Goas [mailto:gitman at gmail.com
>>                    <mailto:gitman at gmail.com>]
>>                    > Sent: Thursday, December 31, 2009 1:03 AM
>>                    > To: Call of Duty server admin list.
>>                    > Subject: [cod] A word of advice
>>                    >
>>                    >
>>                    >
>>                    > This may not be news to some, but I just first
>>                    hand experience with it, so I
>>                    > think I should share....
>>                    >
>>                    > Someone just gained access to the RCON password
>>                    for my CoD2 server.
>>                    > Apparently, they were able to use the client
>>                    auto-download functionality to
>>                    > download my server configuration, which I
>>                    (stupidly) had named "server.cfg".
>>                    >
>>                    > So a word to the wise - name your server config
>>                    in such a way that nobody
>>                    > can guess what it is. This is a Q3 engine bug,
>>                    so the whole series is
>>                    > affected.
>>                    > --
>>                    > Geoff Goas
>>                    > Network Engineer
>>                    >
>>                    > _______________________________________________
>>                    > cod mailing list
>>                    > cod at icculus.org <mailto:cod at icculus.org>
>>
>>                    > http://icculus.org/mailman/listinfo/cod
>>
>>                    _______________________________________________
>>                    cod mailing list
>>                    cod at icculus.org <mailto:cod at icculus.org>
>>
>>                    http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>                _______________________________________________
>>                cod mailing list
>>                cod at icculus.org <mailto:cod at icculus.org>
>>
>>                http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>            --            Geoff Goas
>>            Network Engineer
>>
>>            _______________________________________________
>>            cod mailing list
>>            cod at icculus.org <mailto:cod at icculus.org>
>>
>>            http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>        _______________________________________________
>>        cod mailing list
>>        cod at icculus.org <mailto:cod at icculus.org>
>>
>>        http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>>    --    Geoff Goas
>>    Network Engineer
>>
>>    _______________________________________________
>>    cod mailing list
>>    cod at icculus.org <mailto:cod at icculus.org>
>>
>>    http://icculus.org/mailman/listinfo/cod
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>



-- 
Geoff Goas
Network Engineer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100120/536e81e4/attachment.htm>

More information about the cod mailing list