Raised This Month: $2 Target: $400
 0% 

New RCON exploit


Post New Thread Reply   
 
Thread Tools Display Modes
devicenull
Veteran Member
Join Date: Mar 2004
Location: CT
Old 11-21-2009 , 14:17   Re: New RCON exploit
Reply With Quote #31

Quote:
Originally Posted by NouveauJoueur View Post
And how we're supposed to find a fix for ou servers if we don't even know how this exploit works ?
How would you fix it even if you knew how the exploit works? Do you have access to the engine source code?
__________________
Various bits of semi-useful code in a bunch of languages: http://code.devicenull.org/
devicenull is offline
Isias
Senior Member
Join Date: Apr 2006
Old 11-21-2009 , 17:55   Re: New RCON exploit
Reply With Quote #32

So, he gets your Rcon PW by brute forcing? Then you must have used quiet a week password, use a password that contains at least 7 to 14 digits, containing numbers, letters and !")$ etc., while this word should not be found in any dictonary. Of course he can add himself as an admin in Mani afterwards once he gained the Rcon PW or is able to upload or download files, like the server.cfg or any .txt file, from the server. But if he's stil able to upload files via FTP to the server, he can add himself as an admin in any plugin he wants to.
Isias is offline
NoS
Senior Member
Join Date: Nov 2006
Old 11-22-2009 , 06:28   Re: New RCON exploit
Reply With Quote #33

He uses a hacked .dll and uploads files like sprays. If you want to prevent this either use the file exploit plugin by devicenull, or sv_allowupload 0. Both will do the job.

Exploit works in both mani and sourcemod. He doesn't know your rcon password, he is changing it.
NoS is offline
NouveauJoueur
SourceMod Donor
Join Date: May 2009
Old 11-22-2009 , 06:55   Re: New RCON exploit
Reply With Quote #34

sv_allowupload wont prevent the upload exploit from working, but it's supposed to be fixed by Valve now ...
__________________
NouveauJoueur is offline
NoS
Senior Member
Join Date: Nov 2006
Old 11-22-2009 , 07:54   Re: New RCON exploit
Reply With Quote #35

Quote:
Originally Posted by NouveauJoueur View Post
sv_allowupload wont prevent the upload exploit from working, but it's supposed to be fixed by Valve now ...
Well its not and it does, the options I have listed above are the only fixes that currently exist.
NoS is offline
NouveauJoueur
SourceMod Donor
Join Date: May 2009
Old 11-22-2009 , 10:03   Re: New RCON exploit
Reply With Quote #36

Quote:
Originally Posted by NoS View Post
Well its not and it does, the options I have listed above are the only fixes that currently exist.
I don't think that the options you've listed above are the only fixes that currently exist, that's what I mean.

Quote:
Originally Posted by Luigi Auriemma
Note that these "file uploading" vulnerabilities can be exploited even
with uploads and downloads disabled, indeed using "sv_allowupload 0"
does NOT solve the situation.
__________________
NouveauJoueur is offline
NoS
Senior Member
Join Date: Nov 2006
Old 11-22-2009 , 10:46   Re: New RCON exploit
Reply With Quote #37

Quote:
Originally Posted by NouveauJoueur View Post
I don't think that the options you've listed above are the only fixes that currently exist, that's what I mean.
The thing I know exactly how the kid does it, because I have talked to the guy who hacked the OP's server and sv_allowupload 0 stops it. The exploit listed there is not the same one that is being listed in the OP. You should also ban that IP range, he has dynamic IP and multiple steam accounts.

They are the only CURRENT known ones, no doubt more plugins can be made to stop the exploit.
NoS is offline
tigerox
AlliedModders Donor
Join Date: Oct 2008
Location: Canada
Old 11-22-2009 , 15:44   Re: New RCON exploit
Reply With Quote #38

They are not the only fixes.

If you run a dedicated server you can run the server as another user. Giving this user only write access to logs..etc.

Much easier then running a mod. File download is still a problem, but you can protect your rcon password by launching srcds with the +rcon_password and not putting it in your server.cfg.
tigerox is offline
NoS
Senior Member
Join Date: Nov 2006
Old 11-22-2009 , 18:14   Re: New RCON exploit
Reply With Quote #39

Quote:
Originally Posted by tigerox View Post
They are not the only fixes.

If you run a dedicated server you can run the server as another user. Giving this user only write access to logs..etc.

Much easier then running a mod. File download is still a problem, but you can protect your rcon password by launching srcds with the +rcon_password and not putting it in your server.cfg.
Most people do not run dedicated servers. If you DO run a dedicated server you can do a lot more outside of plugins.
NoS is offline
Isias
Senior Member
Join Date: Apr 2006
Old 12-08-2009 , 03:10   Re: New RCON exploit
Reply With Quote #40

There was a small engine update for OB based games (Dod:S / TF2), that seems to adress this problem.

# Added checks to prevent transferring .smx, .gcf, and .sys files between client/server
# Fixed upload/download exploits with spaces in the file extension or a path separator at the beginning of the requested file (as reported on the HLDS mailing lists)
Isias is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 22:30.


Powered by vBulletin®
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
Theme made by Freecode