[asherkin]

A number of communities have been hit by at least one person abusing the fact CS:GO's engine is lacking the fixes Valve made in the 2009 engine for file transfers.

This means that it's possible for a malicious person to

• Download a number of files from the gameserver (it's unknown at this time if the engine is vulnerable to bypassing the extension blacklist).
• Upload a number of files to the gameserver (see note above).
• "Delete" a file by overwriting it with a folder.

I'll be updating ServerSecure soon, hopefully tomorrow, with the multi-engine changes I've been working on, in the mean time you should do sane things like remove rcon passwords from config files (I suggest disabling RCON entirely if you can, and using sm_rcon) and only give SRCDS write access to directories conservatively.

There is a plugin that is being upload to game servers that will expose the rcon_password to anyone on the server.

Known versions:

• • Filename: "basecomms.smx" (note the 's' on the end).
  • File MD5 Hash: b4c68d7153f3379a8434cde4bb799e1a
  • Plugin Hash: 0c1c36a5fb41359246ecfb4c9b4285a5

The "Plugin Hash" in the list above refers to the "Hash:" line seen in the "sm plugins info" output if you're running a version of SourceMod with the malicious plugin blacklist (most recent 1.4 snapshot, all recent 1.5 snapshots) - if you're hosting CS:GO servers, I suggest making sure you are.

If you find any strange plugins on your server that are trying to impersonate base SM plugins, please PM them to me - they're only going to get harder to spot from here on in.

[Cain]

Whoah, thank you for informing us..

[Zephyrus]

i got hit by it too...its probably some german guy / proxied through a german server as the unauthorized rcon commands were sent by a german ip

[Baron Rojo]

Hello and thank you for your suggest, I had never before canceled the rcon on my server.

I know there is an :

"rcon_passoword" "xxxxxx"

on the server.cfg

Quote:

(I suggest disabling RCON entirely if you can, and using sm_rcon)

how to disable the rcon?
just deleting that line?

If i delete that line what happen.

It disable rcon use or it give access to the rcon without a password :X

I doubt about this because if you left

sv_password "" empty on the server.cfg the server become password unprotected and become Public.

So just asking before doing something wrong , thank you

[Mavrick4283]

To turn off the built in rcon all you have to do is remove rcon_password from the server.cfg and if you have it in the command line from there.

To use sm_rcon you just need to set the correct flag (m is rcon and z is all flags)


Also rember that there are instructions on the wiki here to fix the file premissions

[ocwoody]

Thanks for the heads up!

Hopefully we'll have a fix for this soon!

[PharaohsPaw]

Thanks for the heads-up.

Man, I had seen some posts about the engine they used for CS:GO having security issues. This is really a bummer.

Really glad you guys are working on the server secure-type plugins to get them working for this game.

The SRCDS hardening info page for Linux filesystem perms in the gameserver tree... if I'm not mistaken, following that is going to cause some probs updating the gameserver, and also there are some other dirs that the game not having write access to is going to make for some "fun".

For example, it seems a given you'd want to protect your sourcemod plugin dirs from writes by the game to keep unauthorized plugins getting put into the dir by an exploit like this. But... what if you're using a plugin updater like "updater"?

yeesh.

Then there's gameserver updates... I think it may be possible to at least contain the general writable permissions problems by running the gameserver as a user that does not have write access to the dir tree the gameserver is in (except for the dirs that have to be allowed like logs, gamedata, downloads, etc.) and then when an update is released, running the updater as a user that DOES have write access.

Working this out will be interesting, to say the least. But it's something I've been needing to do for a while anyway.

[Bacardi]

Quote:

Originally Posted by PharaohsPaw ... For example, it seems a given you'd want to protect your sourcemod plugin dirs from writes by the game to keep unauthorized plugins getting put into the dir by an exploit like this. But... what if you're using a plugin updater like "updater"? ...

If you worried about plugins.
You can create sub-folder with random name and move plugins there.

Code:

...addons/sourcemod/plugins/a12cd/

I use to separate SM base plugins, downloaded ones and my own testing plugins, each have own folder.

[PharaohsPaw]

Quote:

Originally Posted by Bacardi If you worried about plugins. You can create sub-folder with random name and move plugins there. Code: ...addons/sourcemod/plugins/a12cd/ I use to separate SM base plugins, downloaded ones and my own testing plugins, each have own folder.

Bacardi thanks - wow, I've been dinking around with Sourcemod for going on 5 years and didn't know you could do that!

I did manage to get my whole setup switched over to a split user config. Basically the games run as a user that only has write permissions to "must write" dirs (logs, sourcemod data dirs, etc.) but can't overwrite or create new files anywhere else. All but a few files/dirs are owned by the user the update daemon runs as.

The trick was getting the update daemon to be able to "write" into the gameserver consoles now that those screens are owned by a different user -- I ended up having to switch to tmux to accomplish that. (was using screen before)

[Geraldinehenry]

Quote:

Originally Posted by Zephyrus i got hit by it too...its probably some german guy / proxied through a german server as the unauthorized rcon commands were sent by a german ip