Attn Admins: Adminmod Exploit Found!

DOOManiac

Saw this on PHL:

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Due to a format string in the Half-Life *client*, it is possible for an attacker who has rcon access to a game- server that runs Adminmod, to exploit the machine of a player that is connected to the game server.
No, even better, you can exploit ALL clients that play on the server AT ONCE!

Note, the attacker needs to know the rcon-password. However, it is easy to sniff since it is being transmitted in plaintext.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

With more info about this <a href='http://online.securityfocus.com/archive/1/306120/2003-01-07/2003-01-13/0' target='_blank'>here</a>.

Just thought some of you server admins running adminmod might wanna know, cause now since its public knowledge that there is a problem, the number of llamas attempting to do whatever it is will skyrocket...

cracker_jackmac

no offense, but duh?

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Note, the attacker needs to know the rcon-password.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

duh.

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->However, it is easy to sniff since it is being transmitted in plaintext.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

yes, thats why a wise admin wouldn't use rcon <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html/emoticons/wink.gif' border='0' valign='absmiddle' alt='wink.gif'><!--endemo-->

I have rcon enabled, but i only connect to rcon from behind the firewall.

j0e

adminmod will be patched within 48 hours

metamod probably the same

there is one particular overflow method that will have to be fixed by valve though. i recommend you set rcon_password "" and use admin_rcon instead

DOOManiac

hey, i'm not a server admin. I just thought a few of you would like to know about this sort of thing. Excuse the **** out of me...

BioHazard

no need to get snooty we all like to know things like this.. i have dumped my rcon because of the post. and i thank you for posting this.

<a href='http://www.unknownworlds.com/forums/index.php?act=ST&f=8&t=19388' target='_blank'>http://www.unknownworlds.com/forums/in...=ST&f=8&t=19388</a>

here is our fix to be able to rcon without rcon passwords....

GoleX

Also a Clanmod REMOTE SHELL exploit found, which is far more severe, but also requires rcon password. Make sure you don't run your HLDS server as root:
[void.at Security Advisory VSA0301]

Clanmod[1] is a plugin for the "Half-Life Server", hosting
the most popular online game today, "Counter-Strike", among
others.

Overview
========

Due to a format string bug in clanmod, it is possible
for a remote attacker who knows the rcon-password to
remotely exploit the gameserver. Since most game-server-
admins I've seen are not very security-aware, the server
generally runs as root.

The rcon-password can be obtained using social engineering
or sniffing-techniques, since it is being transmitted
in plaintext. It is needed because the vulnerable function
can only be called via rcon.

Affected Versions
=================

All Clanmod versions on Windows and Linux.
Successfully tested with Clanmod 1.81.11 running on
hlds 3.1.1.0 on Linux.

Impact
======

High. Remote-shell and very likely remote-root.

Details
=======

This is a format string bug. Clanmod registers the command
"cm_log" to the halflife server, its purpose is to write a line
to the server log. This line is written using a printf-function
as seen in server.cpp:

2790 void CmdLogMessage()
2791 {
2792 if (CMD_ARGC() > 1) {
2793 UTIL_FillText((char*)CMD_ARGS()/*UTIL_GetVarArgs(1,FALSE)*/, NULL, 256,cmSet.allow_to_execute,NULL, NULL,TRUE);
2794 UTIL_LogPrintf(UTIL_VarArgs("[%s] %s",Plugin_info.logtag, com_token));
2795 }
2796 else
2797 PrintErrorInfo("cm_log");
2798
2799 //Close any opened gate
2800 cmSet.allow_to_execute_time = gpGlobals->time + 0.25;
2801 }

Line 2794: UTIL_LogPrintf gets called with a user-supplied string.
UTIL_LogPrintf itself calls vsnprintf with no further checks.

rcon-output:

log on
cm_log %08x.%08x.%08x.%08x

-> [CLANMOD] 00000000.bfff0001.433a9984.433a9964

Solution
========

Disable clanmod until a patched version becomes available.
Change the rcon-password.

Arkaine

<!--QuoteBegin--cracker jackmac+Jan 11 2003, 11:55 AM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (cracker jackmac @ Jan 11 2003, 11:55 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->no offense, but duh?

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Note, the attacker needs to know the rcon-password.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

duh.

<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->However, it is easy to sniff since it is being transmitted in plaintext.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->

yes, thats why a wise admin wouldn't use rcon <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html/emoticons/wink.gif' border='0' valign='absmiddle' alt='wink.gif'><!--endemo-->

I have rcon enabled, but i only connect to rcon from behind the firewall.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Heh, that's cracker for ya...always with the wisecracks. <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' valign='absmiddle' alt='smile.gif'><!--endemo-->

cracker_jackmac

i guess he didn't know me well enough, sorry DOOManiac. ment no offense.

j0e

<!--QuoteBegin--BioHazard+Jan 11 2003, 10:39 AM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (BioHazard @ Jan 11 2003, 10:39 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->here is our fix to be able to rcon without rcon passwords....<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
you can do rcon without rcon passwords using adminmod with admin_rcon <!--emo&:)--><img src='http://www.unknownworlds.com/forums/html/emoticons/smile.gif' border='0' valign='absmiddle' alt='smile.gif'><!--endemo-->

SuicideDog

yea but you have to be setup as an admin in adminmod.. unless you are brainless and give everyone admin access. ( or did I miss something in my skimming of this thread?)

Brutus

<!--QuoteBegin--cracker jackmac+Jan 11 2003, 09:55 AM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (cracker jackmac @ Jan 11 2003, 09:55 AM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->yes, thats why a wise admin wouldn't use rcon <!--emo&;)--><img src='http://www.unknownworlds.com/forums/html/emoticons/wink.gif' border='0' valign='absmiddle' alt='wink.gif'><!--endemo-->

I have rcon enabled, but i only connect to rcon from behind the firewall.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Adminmod is less secure then RCON.

j0e

<!--QuoteBegin--Brutus+Jan 12 2003, 09:09 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Brutus @ Jan 12 2003, 09:09 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Adminmod is less secure then RCON.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
based on what? all these cracks require the rcon password.