[17399] in bugtraq
Re: Half Life dedicated server Patch
daemon@ATHENA.MIT.EDU (Shaun Meckler)
Mon Oct 30 00:32:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39F9ECD2.13874B4D@truckmaster.com>
Date: Fri, 27 Oct 2000 15:00:02 -0600
Reply-To: Shaun Meckler <shaun@TRUCKMASTER.COM>
From: Shaun Meckler <shaun@TRUCKMASTER.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
My apoligies for not including this in the previous message, as it came
right after I sent it..
-------- Original Message --------
Subject: rcon "format string" problem
Date: Fri, 27 Oct 2000 16:49:41 -0400
From: Leon Hartwig <hartwig@valvesoftware.com>
Reply-To: hlds_linux@valvesoftware.com
To: hlds_linux@valvesoftware.com
First, let me preface this by saying that this message deals with a
second
problem that was reported with rcon. This message does not talk about
the
rcon overflow problem, which, prior to 3104, could be exploited to gain
control of a server. The overflow problem (the BIG problem that
everyone
was concerned about) was something else. That problem was fixed in
3104.
This message is about something else. I just want to be clear on that,
since the overflow exploit was very serious and I don't want people
reading
this message and having any doubt that it has been fixed.
As for the "format string" problem with rcon that was in one of the
security
advisories, I am concluding that it does not exist. I cann reproduce it
under any circumstances, and have reviewed the related code and find no
problems. However, there IS a format string problem with the
'changelevel'
command. A successful "rcon changelevel %s" command will crash 3104.
But
as I said, this is a changelevel problem and not an rcon problem (try
'changelevel %s' directly from the console if you want to see it in
action).
Unsuccessful (read: incorrect password) rcon commands will not cause
this
crash. As far as the security advisory goes, my only guess is that
since
all of the rcon problems were focusing on examples that used the
'changelevel' command, it was mistakenly reported that the format string
problem was an rcon problem, and not a changelevel problem.
The "changelevel %s" crash can only be done by someone with direct
access to
the console, or with access to the correct rcon password. This will be
fixed in the next update.
