[28422] in bugtraq
Re: [VSA0304] Half-Life Client remote hole via Adminmod plugin
daemon@ATHENA.MIT.EDU (3APA3A)
Sat Jan 11 16:22:01 2003
Date: Sat, 11 Jan 2003 13:40:26 +0300
From: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Reply-To: 3APA3A <3APA3A@SECURITY.NNOV.RU>
Message-ID: <102-1439168865.20030111134026@SECURITY.NNOV.RU>
To: "VOID.AT Security" <crew@void.at>
In-Reply-To: <3E1F07AF.6090701@void.at>
MIME-Version: 1.0
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
Dear VOID.AT Security,
This bug is not related to adminmod, but is rather the bug in Half Life
itself. At least absolutely same problem is in amx plugin. amx_psay
%s%s%s%s causes same trouble.
So this is a bug in HalfLife client and may be exploited by malicious
server operator (including remote one with permissions to execute any
csay/psay command, rcon access is not actually required, it's possible
to bind malicious amx_psay command to some key). Since Half Life
protocol is not secure it's very likely this bug potentially may be
exploited by any remote attacker while client is playing.
--Friday, January 10, 2003, 8:49:35 PM, you wrote to bugtraq@securityfocus.com:
VAS> Note, the attacker needs to know the rcon-password.
VAS> However, it is easy to sniff since it is being transmitted
VAS> in plaintext.
<skipped>
VAS> blackboxed the admin_ssay and admin_psay commands.
--
~/ZARAZA
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)
