basicly what a exploit does is altering the way of exection of a program so that it wont do the things it was designed to do. Now, you have different kind of so called shellcodes, in my example i had a portbinding shellcode. It will listens on a port (defined in the exploit so you can't tell in advance what kind of port). and if someone telnets or uses netcat to connect to that port it will give you a shell. This is also usually a tcp type of connection. Firewalling everything but udp on port 27015 might help you, but it is fairly easy to bypass that to create connect back shellcode (it connects back to the person that ran the exploit), and udp instead of tcp shellcodes exist too. For more info on exploits, examples of shellcodes, see http://www.packetstormsecurity.nl
But to summarize it, you are basicly fucked until valve releases a patch (you can try some non official valve patches though). Another thing what will greatly improves the security of your machine is recompiling your kernel with the grsecurity patch, it can be found at www.grsecurity.net Be carefull though if you host Quake based games because this might cause problems. (enable non executable stack, randomized mmap, etcetera, but dont overdo it because some of your programs might not work anymore then). Also, make sure you never run half life as root, but as a normal user. What also helps alot, make sure you have your local security up to date, if they do gain access, but as normal user, it might be a little bit harder for them to actually obtain root. ----- Original Message ----- From: "B�rge Amundsen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 31, 2003 12:22 AM Subject: Re: [hlds_linux] HLDS Expolits. > On Thu, Jul 31, 2003 at 12:10:25AM +0200, Erik van den Berg wrote: > | one that gains a shell > > *shivers*, then i must ask. How would such a thing work. I meen from a > sysadmin perspective. The exploit makes a shell code that executes and > open a telnet ? Are the exploiter telling what port this is done on ? would it > have to be done on the cs servers port. If i have a firewall blocking > everything but UDP 27015. Would the attacker stil be able to telnet inn > ? > > Ill be happy if you explain a bit, from a admins perspective so that i > perhaps i could be able to spot this before all the rootkits are installed. > > You might do it to my mail address if you dont whant to explain for > the list. :) > > > | > | ----- Original Message ----- > | From: "B�rge Amundsen" <[EMAIL PROTECTED]> > | To: <[EMAIL PROTECTED]> > | Sent: Thursday, July 31, 2003 12:10 AM > | Subject: Re: [hlds_linux] HLDS Expolits. > | > | > | > On Thu, Jul 31, 2003 at 12:03:48AM +0200, Erik van den Berg wrote: > | > | no i already have seen a working exploit, > | > > | > You have seen a working exploit that gain a shell ? or just the exploit > | > for freezing, crashing ? > | > > | > | and i can write one too, and if i > | > | can do it alot of others can do too :) > | > | its just a matter of time when they get public > | > | > | > | ----- Original Message ----- > | > | From: "B�rge Amundsen" <[EMAIL PROTECTED]> > | > | To: <[EMAIL PROTECTED]> > | > | Sent: Wednesday, July 30, 2003 11:55 PM > | > | Subject: Re: [hlds_linux] HLDS Expolits. > | > | > | > | > | > | > On Wed, Jul 30, 2003 at 09:07:34PM +0200, Erik van den Berg wrote: > | > | > | yes it can, when the exploit succeeds (not a crash what we have seen > | so > | > | > | far), the code that is in the exploit is executed, and if that code > | is > | > | > | portbinding shellcode (it opens another port, and if you telnet to > | that > | > | port > | > | > | /bin/sh will be executed and you will have shell access). > | > | > > | > | > Is this trivial to do ? should i expect my box to be rooted as of yet > | ? > | > | > Have ther been released scripts to gain shell with this exploit ? or > | is > | > | > this more like "it could be possible" ? > | > | > > | > | > > | > | > | > | > | > | ----- Original Message ----- > | > | > | From: <[EMAIL PROTECTED]> > | > | > | To: <[EMAIL PROTECTED]> > | > | > | Sent: Wednesday, July 30, 2003 9:00 PM > | > | > | Subject: Re: [hlds_linux] HLDS Expolits. > | > | > | > | > | > | > | > | > | > Would it to be possible for them to get shell access to the users > | > | account > | > | > | if > | > | > | > shell is disabled for the users? ALL users running hlds on my > | servers > | > | have > | > | > | > zero shell access since no one neds shell access but me. So is it > | even > | > | > | > possible for them to use this to gain shell access with a username > | > | > | with no > | > | > | > shell access? > | > | > | > > | > | > | > Thanks > | > | > | > Jeremy > | > | > | > > | > | > | > > | > | > | > Quoting Erik van den Berg <[EMAIL PROTECTED]>: > | > | > | > > | > | > | > > heh, crashing is not the bad thing, i was talking about getting > | > | shell > | > | > | access > | > | > | > > as the user running the hlds > | > | > | > > > | > | > | > > ----- Original Message ----- > | > | > | > > From: <[EMAIL PROTECTED]> > | > | > | > > To: <[EMAIL PROTECTED]> > | > | > | > > Sent: Wednesday, July 30, 2003 1:40 PM > | > | > | > > Subject: Re: [hlds_linux] HLDS Expolits. > | > | > | > > > | > | > | > > > | > | > | > > > Yes, and it works quite well. > | > | > | > > > Somebody has already started to crash our servers. > | > | > | > > > *sigh* > | > | > | > > > > | > | > | > > > -jmoen- > | > | > | > > > > | > | > | > > > > oh and i have seen a linux version for the exploit so > | prepare > | > | > | yourselves > | > | > | > > > > > | > | > | > > > > > | > | > | > > > > ----- Original Message ----- > | > | > | > > > > From: "Hlds Linux" <[EMAIL PROTECTED]> > | > | > | > > > > To: <[EMAIL PROTECTED]> > | > | > | > > > > Sent: Wednesday, July 30, 2003 1:18 PM > | > | > | > > > > Subject: Re: [hlds_linux] HLDS Expolits. > | > | > | > > > > > | > | > | > > > > > | > | > | > > > >> The posted "iptables" Script is not enough. > | > | > | > > > >> A exploit need only on conenction to the port, so > | port-limiting > | > | is > | > | > | not > | > | > | > > a > | > | > | > > > >> fix. > | > | > | > > > >> Greetz > | > | > | > > > >> ----- Original Message ----- > | > | > | > > > >> From: "Erik van den Berg" <[EMAIL PROTECTED]> > | > | > | > > > >> To: <[EMAIL PROTECTED]> > | > | > | > > > >> Sent: Wednesday, July 30, 2003 11:55 AM > | > | > | > > > >> Subject: Re: [hlds_linux] HLDS Expolits. > | > | > | > > > >> > | > | > | > > > >> > | > | > | > > > >> > Heh, the main thing that makes me mad is that valve has > | not > | > | even > | > | > | > > > >> patched > | > | > | > > > >> > this since april 14th. > | > | > | > > > >> > > | > | > | > > > >> > -- > | > | > | > > > >> > - > | > | > | > > > >> > > | > | > | > > > >> > Met vriendelijke groet, > | > | > | > > > >> > Erik van den Berg > | > | > | > > > >> > > | > | > | > > > >> > Server Administrator/Unix Security Consultant > | > | > | > > > >> > Technische Dienst XL-Hosting > | > | > | > > > >> > > | > | > | > > > >> > http://www.xl-hosting.com > | > | > | > > > >> > [EMAIL PROTECTED] > | > | > | > > > >> > ----- Original Message ----- > | > | > | > > > >> > From: <[EMAIL PROTECTED]> > | > | > | > > > >> > To: <[EMAIL PROTECTED]> > | > | > | > > > >> > Sent: Wednesday, July 30, 2003 2:29 AM > | > | > | > > > >> > Subject: RE: [hlds_linux] HLDS Expolits. > | > | > | > > > >> > > | > | > | > > > >> > > | > | > | > > > >> > > The main thing that makes me mad is not that I have to > | > | upgrade > | > | > | to > | > | > | > > > >> get > | > | > | > > > >> the > | > | > | > > > >> > > fix, but I have to upgrade to the next 4.1.1.0x version > | > | which > | > | > | will > | > | > | > > > > kill > | > | > | > > > >> my > | > | > | > > > >> > > servers since the CPU usage blows. > | > | > | > > > >> > > | > | > | > > > >> > > | > | > | > > > >> > _______________________________________________ > | > | > | > > > >> > To unsubscribe, edit your list preferences, or view the > | list > | > | > | > > archives, > | > | > | > > > >> please visit: > | > | > | > > > >> > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > | > > > >> > > | > | > | > > > >> > > | > | > | > > > >> > | > | > | > > > >> _______________________________________________ > | > | > | > > > >> To unsubscribe, edit your list preferences, or view the > | list > | > | > | archives, > | > | > | > > > > please visit: > | > | > | > > > >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > | > > > >> > | > | > | > > > >> > | > | > | > > > > > | > | > | > > > > > | > | > | > > > > _______________________________________________ > | > | > | > > > > To unsubscribe, edit your list preferences, or view the list > | > | > | archives, > | > | > | > > > > please visit: > | > | > | > > > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > | > > > > > | > | > | > > > > | > | > | > > > _______________________________________________ > | > | > | > > > To unsubscribe, edit your list preferences, or view the list > | > | archives, > | > | > | > > please visit: > | > | > | > > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > | > > > > | > | > | > > > | > | > | > > > | > | > | > > _______________________________________________ > | > | > | > > To unsubscribe, edit your list preferences, or view the list > | > | archives, > | > | > | please > | > | > | > > visit: > | > | > | > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > | > > > | > | > | > > | > | > | > > | > | > | > > | > | > | > _______________________________________________ > | > | > | > To unsubscribe, edit your list preferences, or view the list > | archives, > | > | > | please visit: > | > | > | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > | > > | > | > | > | > | > | > | > | > | _______________________________________________ > | > | > | To unsubscribe, edit your list preferences, or view the list > | archives, > | > | please visit: > | > | > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > > | > | > -- > | > | > B�rge Amundsen > | > | > http://lv8pv.com > | > | > > | > | > _______________________________________________ > | > | > To unsubscribe, edit your list preferences, or view the list archives, > | > | please visit: > | > | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > | > > | > | > | > | > | > | _______________________________________________ > | > | To unsubscribe, edit your list preferences, or view the list archives, > | please visit: > | > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > > | > -- > | > B�rge Amundsen > | > http://lv8pv.com > | > > | > _______________________________________________ > | > To unsubscribe, edit your list preferences, or view the list archives, > | please visit: > | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > | > > | > | > | _______________________________________________ > | To unsubscribe, edit your list preferences, or view the list archives, please visit: > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > -- > B�rge Amundsen > http://lv8pv.com > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
