[cod] A word of advice
Riku Kaura-aho
richarttos at gmail.com
Wed Jan 20 12:00:26 EST 2010
Server cfgs can be renamed randomly so they are easy to protect assuming
that you can't get file list. System files are whole different thing.
Chrooting works but it ain't acceptable to have a bug like this coz it's
kinda likely that if someone uses this hole it won't take long to figure out
some weak points just by guessing.
2010/1/20 B.M. Schiltmans <b.m.schiltmans at planet.nl>
> Hmm, perhaps I should read first, and comment later. Sorry about that.
> So the problem is not http-redirect but the direct download.
> Am I correct in assuming that a modified client is needed for this 'hack'?
> In that case, it should be easy to fake a failed http-redirect and force a
> fallback to direct-download. Reading through it, it seems that the
> server.cfg is not the only worry, if every file on your server can be read.
> I see no workaround here, except maybe chroot. And even then your .cfg's
> are at risk.
> Only real solution would be a patch it seems.
> Anyone got any info on which games are/are not vulnerable (not counting the
> dinosaurs on securityfocus ;-) )?
>
>
>
> Geoff Goas wrote:
>
>> i know the difference here. the console log lines clearly stated
>> (paraphrased) 'clientDownload <clientnum> : beginning "fs_game/server.cfg"'.
>>
>> only IWD's are contained in my HTTP redirect path.
>>
>> On Wed, Jan 20, 2010 at 3:32 AM, B.M. Schiltmans <
>> b.m.schiltmans at planet.nl <mailto:b.m.schiltmans at planet.nl>> wrote:
>>
>> I highly doubt that this is exploited trough the game. The way I
>> see it:
>> - You connect to some server with http-redirect enabled, and note
>> or memorize the http location that the downloads come from.
>> - Start a browser, and go to the http-redirect-site
>> - If you're 'lucky', you can see the cfg-files, either by browsing
>> the directories, or by guessing the .cfg name(s)
>>
>> As an admin this can easily be prevented by any of the following:
>> - Don't store config-files on the http-redirect, in fact, just
>> store files there that actually need to be downloaded. Of course
>> this only works if you have an separate redirect-space.
>> - Instruct your webserver to not allow acces to thing like .cfg,
>> .txt, etc etc
>> - As an extra security/obscurity, just disable directory-browsing.
>> Let's not make anyone any smarter than they need to be ;-)
>>
>> That should do the trick. Oh and one more thing (I learned the
>> hard way), NEVER EVER use the rcon password for something like an
>> os-user. IF someone finds out the password,.....
>>
>> As a sidenote for clan-based servers. Clans often want to update
>> their usermaps all at once instead of on every map change. In this
>> case the http-redirect is not ideal, so we use rsync to do that.
>> When the server has updated maps, I send an email, and all they
>> have to do is click some desktop-icon to update their own set. We
>> implemented is because cod5 crashes a lot when it has to get an
>> updated version of some map.
>>
>> Grtz
>> Bram
>>
>>
>> Tomé Duarte wrote:
>>
>> I believe when you're using HTTP redirect the gameserver
>> automatically redirects all downloads to the configured URL.
>> However, a custom application to exploit this misconfiguration
>> may somehow be able to download the server.cfg; this depends
>> on the server code but it's highly probable that it redirects
>> the request to the webserver.
>>
>> Does anyone have any more info on this vuln? Is it just the
>> sv_allowdownload cvar or are there any other "requirements"?
>> Is there a published vuln report or exploit?
>>
>> Cheers,
>> Tomé Duarte
>>
>> Connect with me via:
>> Twitter: http://twitter.com/tomeduarte
>> LinkedIn: http://www.linkedin.com/in/tduarte
>>
>>
>> On Wed, Jan 20, 2010 at 1:04 AM, Geoff Goas <gitman at gmail.com
>> <mailto:gitman at gmail.com> <mailto:gitman at gmail.com
>>
>> <mailto:gitman at gmail.com>>> wrote:
>>
>> I do... I was under the impression that sv_allowdownload
>> had to be
>> enabled in order for HTTP redirect to work. Is that not the
>> case?
>>
>>
>> On Mon, Jan 18, 2010 at 7:36 PM, Mavrick Master
>> <mavrick.master at gmail.com <mailto:mavrick.master at gmail.com>
>> <mailto:mavrick.master at gmail.com
>> <mailto:mavrick.master at gmail.com>>> wrote:
>>
>> Do you have the http redirect setup?
>>
>> If not, may I suggest you set this up and in the off-server
>> http location only store the mod and not your config files.
>> This should solve your problem.
>>
>>
>> Daniel 'mavrick' Lang
>> www.mavrick.id.au <http://www.mavrick.id.au>
>> <http://www.mavrick.id.au>
>>
>>
>>
>> On Sun, Jan 17, 2010 at 2:45 PM, Geoff Goas
>> <gitman at gmail.com <mailto:gitman at gmail.com>
>> <mailto:gitman at gmail.com <mailto:gitman at gmail.com>>> wrote:
>>
>> That's correct.
>>
>>
>> On Mon, Jan 11, 2010 at 7:25 PM, Mavrick Master
>> <mavrick.master at gmail.com
>> <mailto:mavrick.master at gmail.com>
>> <mailto:mavrick.master at gmail.com
>> <mailto:mavrick.master at gmail.com>>> wrote:
>>
>> The client auto-download was used because I presume
>> you are running a mod?
>>
>> Daniel 'mavrick' Lang
>> www.mavrick.id.au <http://www.mavrick.id.au>
>> <http://www.mavrick.id.au>
>>
>>
>>
>>
>> On Thu, Dec 31, 2009 at 11:15 PM, Hannu Kumpeli
>> <hannu at shadowstyle.nl
>> <mailto:hannu at shadowstyle.nl> <mailto:hannu at shadowstyle.nl
>>
>> <mailto:hannu at shadowstyle.nl>>>
>>
>> wrote:
>>
>> well after they got the rcon pass they could
>> change all non write protected
>>
>> > But they could only download and view, not
>> edit.correct?
>> >
>> >
>> >
>> > From: Geoff Goas [mailto:gitman at gmail.com
>> <mailto:gitman at gmail.com>
>> <mailto:gitman at gmail.com
>> <mailto:gitman at gmail.com>>]
>> > Sent: Thursday, December 31, 2009 1:03 AM
>> > To: Call of Duty server admin list.
>> > Subject: [cod] A word of advice
>> >
>> >
>> >
>> > This may not be news to some, but I just
>> first
>> hand experience with it, so I
>> > think I should share....
>> >
>> > Someone just gained access to the RCON
>> password
>> for my CoD2 server.
>> > Apparently, they were able to use the client
>> auto-download functionality to
>> > download my server configuration, which I
>> (stupidly) had named "server.cfg".
>> >
>> > So a word to the wise - name your server
>> config
>> in such a way that nobody
>> > can guess what it is. This is a Q3 engine
>> bug,
>> so the whole series is
>> > affected.
>> > --
>> > Geoff Goas
>> > Network Engineer
>> >
>> >
>> _______________________________________________
>> > cod mailing list
>> > cod at icculus.org <mailto:cod at icculus.org>
>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>
>>
>> > http://icculus.org/mailman/listinfo/cod
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> -- Geoff Goas
>> Network Engineer
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> -- Geoff Goas
>> Network Engineer
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> <mailto:cod at icculus.org <mailto:cod at icculus.org>>
>>
>>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org <mailto:cod at icculus.org>
>> http://icculus.org/mailman/listinfo/cod
>>
>>
>>
>>
>> --
>> Geoff Goas
>> Network Engineer
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> cod mailing list
>> cod at icculus.org
>> http://icculus.org/mailman/listinfo/cod
>>
>>
> _______________________________________________
> cod mailing list
> cod at icculus.org
> http://icculus.org/mailman/listinfo/cod
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://icculus.org/pipermail/cod/attachments/20100120/f006863d/attachment-0001.htm>
More information about the cod
mailing list