[17236] in bugtraq
Half-Life Dedicated Server Vulnerability
daemon@ATHENA.MIT.EDU (Vulnerability Help)
Mon Oct 16 15:51:26 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.GSO.4.21.0010161027340.10979-100000@mail>
Date: Mon, 16 Oct 2000 10:27:57 -0700
Reply-To: Vulnerability Help <vulnhelp@SECURITYFOCUS.COM>
From: Vulnerability Help <vulnhelp@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
-----BEGIN PGP SIGNED MESSAGE-----
Vulnerability Report by Mark Cooper
Date Published: 16th October 2000
Advisory ID: N/A
Bugtraq ID: 1799
http://www.securityfocus.com/bid/1799
CVE CAN: N/A
Title: Half-Life Dedicated Server Vulnerability
Class: Buffer Overflow
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Mode: FORCED RELEASE
This vulnerability is actively being exploited in the wild.
Vulnerable Packages/Systems:
Half-Life Dedicated Server for Linux 3.1.0.3 & Previous
Vulnerability Description:
A buffer overflow vulnerability was discovered in a Half-Life
dedicated server
during a routine security audit. A user shell was found running on
the ingreslock
port of the server which lead to an investigation into how this had
been achieved.
- From the logs left on the server, it was ascertained that a
predefined exploit
script was used and that the perpetrator failed to further compromise
the server
due to the Half-Life software running as a non-priveledged user.
The vulnerability appears to exist in the changelevel rcon command
and does not
require a valid rcon password. The overflow appears to exist after
the logging
function as the following was found in the last entries of the
daemon's logs:-
# tail server.log.crash | strings
L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"
Bad Rcon from x.x.x.x:4818:
rcon werd changelevel
bin@
sh!@
Privet ADMcrew\
rcon werd changelevel
The actual raw exploit code is logged, along with what appears to be
the script
authors, ADM ( http://adm.freelsd.net/ADM/ ). If they could shed some
light on
this?
Solution/Vendor Information/Workaround:
Valve Software promised a patch which has yet to appear. Interim
measures would
include:-
A) Consider not running the HalfLife software at all!
B) Remove the world execute bit from inetd to 'break' the exploit
code - this
would only stop the script kiddies
C) Ensure sane ipfwadm/ipchains filters are inplace
Vendor notified on: 14th September 2000
Credits:
Credit for the vulnerability discovery presumably lies with ADM. :)
The forensic
work which discovered this problem was performed by Mark Cooper.
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability
Help Team. For more information or assistance drafting advisories
please mail
vulnhelp@securityfocus.com.
Exploit/Concept Code:
Try http://adm.freelsd.net/ADM/ ?
Referance:
http://www.valvesoftware.com
DISCLAIMER:
No responsibility whatsoever is taken for any correct/incorrect use
of this
information. This is for informational purposes only.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQEVAwUBOes6XV15pZzZvm7VAQEJdQf+JH07d2Of2fyZj5GAwH4Hyw43kBHysnqn
9K6faf1tON7RqkJXxvbTRbokEHv4lE4um1mUnYcWsDSv58xfgCJ8Fctq9aK1iTUA
qd3Hm/jcDe+uQrPhjTM+jKg1c2xa7XXltXO2bcYBO29EjXJmp6bF2kr6M/c8z0vr
/s9CpbUZ4cmG71hi/eM+VvhBPndeqE1iqfHaD6esrvnKWuXEvGO1XIn8SMwZXs4p
HKTExgAd88M1OoMwtKCk0J7xFSU7W5r/f/QvkDb2gmn9vpOuOIZlBltTTpxriXQG
xh3jIL/Ku6SIBVWx34WrgsoZe1Rj8BrPWFdBWz5taRDggKAmScrtrw==
=aUch
-----END PGP SIGNATURE-----
