On Thu, Jul 31, 2003 at 12:48:05AM +0200, Erik van den Berg wrote: | basicly what a exploit does is altering the way of exection of a program so | that it wont do the things it was designed to do. | Now, you have different kind of so called shellcodes, in my example i had a | portbinding shellcode. It will listens on a port (defined in the exploit so | you can't tell in advance what kind of port). and if someone telnets or uses | netcat to connect to that port it will give you a shell. This is also | usually a tcp type of connection. Firewalling everything but udp on port | 27015 might help you, but it is fairly easy to bypass that to create connect | back shellcode (it connects back to the person that ran the exploit), and | udp instead of tcp shellcodes exist too. For more info on exploits, examples | of shellcodes, see http://www.packetstormsecurity.nl
Thank you for this, im glad my fw also block outgoint traffic. Pritty strict rules. http://www.packetstormsecurity.nl is one of my favorites =). | | But to summarize it, you are basicly fucked until valve releases a patch | (you can try some non official valve patches though). Yes i did shut down all 4 machines runing CS early this thay. | | Another thing what will greatly improves the security of your machine is | recompiling your kernel with the grsecurity patch, it can be found at | www.grsecurity.net | Be carefull though if you host Quake based games because this might cause | problems. (enable non executable stack, randomized mmap, etcetera, but dont | overdo it because some of your programs might not work anymore then). Yes iv tried this, but had some problems, ill look into this again. | | Also, make sure you never run half life as root, but as a normal user. What | also helps alot, make sure you have your local security up to date, if they | do gain access, but as normal user, it might be a little bit harder for them | to actually obtain root. hehe yes, that would be lame. su -c "cmd" is my friend =) Thank you for this, it was verry enlightning. I work as a sysadm in a ISP where we have quite many game servers, i would really like to test this shellcode exploit on my cs servers, but i know asking for such a code would be to much to ask for. Tanks for your help. | | ----- Original Message ----- | From: "B�rge Amundsen" <[EMAIL PROTECTED]> | To: <[EMAIL PROTECTED]> | Sent: Thursday, July 31, 2003 12:22 AM | Subject: Re: [hlds_linux] HLDS Expolits. | | | > On Thu, Jul 31, 2003 at 12:10:25AM +0200, Erik van den Berg wrote: | > | one that gains a shell | > | > *shivers*, then i must ask. How would such a thing work. I meen from a | > sysadmin perspective. The exploit makes a shell code that executes and | > open a telnet ? Are the exploiter telling what port this is done on ? | would it | > have to be done on the cs servers port. If i have a firewall blocking | > everything but UDP 27015. Would the attacker stil be able to telnet inn | > ? | > | > Ill be happy if you explain a bit, from a admins perspective so that i | > perhaps i could be able to spot this before all the rootkits are | installed. | > | > You might do it to my mail address if you dont whant to explain for | > the list. :) | > | > | > | | > | ----- Original Message ----- | > | From: "B�rge Amundsen" <[EMAIL PROTECTED]> | > | To: <[EMAIL PROTECTED]> | > | Sent: Thursday, July 31, 2003 12:10 AM | > | Subject: Re: [hlds_linux] HLDS Expolits. | > | | > | | > | > On Thu, Jul 31, 2003 at 12:03:48AM +0200, Erik van den Berg wrote: | > | > | no i already have seen a working exploit, | > | > | > | > You have seen a working exploit that gain a shell ? or just the | exploit | > | > for freezing, crashing ? | > | > | > | > | and i can write one too, and if i | > | > | can do it alot of others can do too :) | > | > | its just a matter of time when they get public | > | > | | > | > | ----- Original Message ----- | > | > | From: "B�rge Amundsen" <[EMAIL PROTECTED]> | > | > | To: <[EMAIL PROTECTED]> | > | > | Sent: Wednesday, July 30, 2003 11:55 PM | > | > | Subject: Re: [hlds_linux] HLDS Expolits. | > | > | | > | > | | > | > | > On Wed, Jul 30, 2003 at 09:07:34PM +0200, Erik van den Berg wrote: | > | > | > | yes it can, when the exploit succeeds (not a crash what we have | seen | > | so | > | > | > | far), the code that is in the exploit is executed, and if that | code | > | is | > | > | > | portbinding shellcode (it opens another port, and if you telnet | to | > | that | > | > | port | > | > | > | /bin/sh will be executed and you will have shell access). | > | > | > | > | > | > Is this trivial to do ? should i expect my box to be rooted as of | yet | > | ? | > | > | > Have ther been released scripts to gain shell with this exploit ? | or | > | is | > | > | > this more like "it could be possible" ? | > | > | > | > | > | > | > | > | > | | > | > | > | ----- Original Message ----- | > | > | > | From: <[EMAIL PROTECTED]> | > | > | > | To: <[EMAIL PROTECTED]> | > | > | > | Sent: Wednesday, July 30, 2003 9:00 PM | > | > | > | Subject: Re: [hlds_linux] HLDS Expolits. | > | > | > | | > | > | > | | > | > | > | > Would it to be possible for them to get shell access to the | users | > | > | account | > | > | > | if | > | > | > | > shell is disabled for the users? ALL users running hlds on my | > | servers | > | > | have | > | > | > | > zero shell access since no one neds shell access but me. So is | it | > | even | > | > | > | > possible for them to use this to gain shell access with a | username | > | | > | > | with no | > | > | > | > shell access? | > | > | > | > | > | > | > | > Thanks | > | > | > | > Jeremy | > | > | > | > | > | > | > | > | > | > | > | > Quoting Erik van den Berg <[EMAIL PROTECTED]>: | > | > | > | > | > | > | > | > > heh, crashing is not the bad thing, i was talking about | getting | > | > | shell | > | > | > | access | > | > | > | > > as the user running the hlds | > | > | > | > > | > | > | > | > > ----- Original Message ----- | > | > | > | > > From: <[EMAIL PROTECTED]> | > | > | > | > > To: <[EMAIL PROTECTED]> | > | > | > | > > Sent: Wednesday, July 30, 2003 1:40 PM | > | > | > | > > Subject: Re: [hlds_linux] HLDS Expolits. | > | > | > | > > | > | > | > | > > | > | > | > | > > > Yes, and it works quite well. | > | > | > | > > > Somebody has already started to crash our servers. | > | > | > | > > > *sigh* | > | > | > | > > > | > | > | > | > > > -jmoen- | > | > | > | > > > | > | > | > | > > > > oh and i have seen a linux version for the exploit so | > | prepare | > | > | > | yourselves | > | > | > | > > > > | > | > | > | > > > > | > | > | > | > > > > ----- Original Message ----- | > | > | > | > > > > From: "Hlds Linux" <[EMAIL PROTECTED]> | > | > | > | > > > > To: <[EMAIL PROTECTED]> | > | > | > | > > > > Sent: Wednesday, July 30, 2003 1:18 PM | > | > | > | > > > > Subject: Re: [hlds_linux] HLDS Expolits. | > | > | > | > > > > | > | > | > | > > > > | > | > | > | > > > >> The posted "iptables" Script is not enough. | > | > | > | > > > >> A exploit need only on conenction to the port, so | > | port-limiting | > | > | is | > | > | > | not | > | > | > | > > a | > | > | > | > > > >> fix. | > | > | > | > > > >> Greetz | > | > | > | > > > >> ----- Original Message ----- | > | > | > | > > > >> From: "Erik van den Berg" <[EMAIL PROTECTED]> | > | > | > | > > > >> To: <[EMAIL PROTECTED]> | > | > | > | > > > >> Sent: Wednesday, July 30, 2003 11:55 AM | > | > | > | > > > >> Subject: Re: [hlds_linux] HLDS Expolits. | > | > | > | > > > >> | > | > | > | > > > >> | > | > | > | > > > >> > Heh, the main thing that makes me mad is that valve | has | > | not | > | > | even | > | > | > | > > > >> patched | > | > | > | > > > >> > this since april 14th. | > | > | > | > > > >> > | > | > | > | > > > >> > -- | > | > | > | > > > >> > - | > | > | > | > > > >> > | > | > | > | > > > >> > Met vriendelijke groet, | > | > | > | > > > >> > Erik van den Berg | > | > | > | > > > >> > | > | > | > | > > > >> > Server Administrator/Unix Security Consultant | > | > | > | > > > >> > Technische Dienst XL-Hosting | > | > | > | > > > >> > | > | > | > | > > > >> > http://www.xl-hosting.com | > | > | > | > > > >> > [EMAIL PROTECTED] | > | > | > | > > > >> > ----- Original Message ----- | > | > | > | > > > >> > From: <[EMAIL PROTECTED]> | > | > | > | > > > >> > To: <[EMAIL PROTECTED]> | > | > | > | > > > >> > Sent: Wednesday, July 30, 2003 2:29 AM | > | > | > | > > > >> > Subject: RE: [hlds_linux] HLDS Expolits. | > | > | > | > > > >> > | > | > | > | > > > >> > | > | > | > | > > > >> > > The main thing that makes me mad is not that I have | to | > | > | upgrade | > | > | > | to | > | > | > | > > > >> get | > | > | > | > > > >> the | > | > | > | > > > >> > > fix, but I have to upgrade to the next 4.1.1.0x | version | > | > | which | > | > | > | will | > | > | > | > > > > kill | > | > | > | > > > >> my | > | > | > | > > > >> > > servers since the CPU usage blows. | > | > | > | > > > >> > | > | > | > | > > > >> > | > | > | > | > > > >> > _______________________________________________ | > | > | > | > > > >> > To unsubscribe, edit your list preferences, or view | the | > | list | > | > | > | > > archives, | > | > | > | > > > >> please visit: | > | > | > | > > > >> > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > > > >> > | > | > | > | > > > >> > | > | > | > | > > > >> | > | > | > | > > > >> _______________________________________________ | > | > | > | > > > >> To unsubscribe, edit your list preferences, or view the | > | list | > | > | > | archives, | > | > | > | > > > > please visit: | > | > | > | > > > >> | http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > > > >> | > | > | > | > > > >> | > | > | > | > > > > | > | > | > | > > > > | > | > | > | > > > > _______________________________________________ | > | > | > | > > > > To unsubscribe, edit your list preferences, or view the | list | > | > | > | archives, | > | > | > | > > > > please visit: | > | > | > | > > > > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > > > > | > | > | > | > > > | > | > | > | > > > _______________________________________________ | > | > | > | > > > To unsubscribe, edit your list preferences, or view the | list | > | > | archives, | > | > | > | > > please visit: | > | > | > | > > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > > > | > | > | > | > > | > | > | > | > > | > | > | > | > > _______________________________________________ | > | > | > | > > To unsubscribe, edit your list preferences, or view the list | > | > | archives, | > | > | > | please | > | > | > | > > visit: | > | > | > | > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > | > _______________________________________________ | > | > | > | > To unsubscribe, edit your list preferences, or view the list | > | archives, | > | > | > | please visit: | > | > | > | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > | > | > | > | | > | > | > | | > | > | > | _______________________________________________ | > | > | > | To unsubscribe, edit your list preferences, or view the list | > | archives, | > | > | please visit: | > | > | > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > | > | > -- | > | > | > B�rge Amundsen | > | > | > http://lv8pv.com | > | > | > | > | > | > _______________________________________________ | > | > | > To unsubscribe, edit your list preferences, or view the list | archives, | > | > | please visit: | > | > | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > | > | | > | > | | > | > | _______________________________________________ | > | > | To unsubscribe, edit your list preferences, or view the list | archives, | > | please visit: | > | > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | > -- | > | > B�rge Amundsen | > | > http://lv8pv.com | > | > | > | > _______________________________________________ | > | > To unsubscribe, edit your list preferences, or view the list archives, | > | please visit: | > | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | > | | > | | > | _______________________________________________ | > | To unsubscribe, edit your list preferences, or view the list archives, | please visit: | > | http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > -- | > B�rge Amundsen | > http://lv8pv.com | > | > _______________________________________________ | > To unsubscribe, edit your list preferences, or view the list archives, | please visit: | > http://list.valvesoftware.com/mailman/listinfo/hlds_linux | > | > | | | _______________________________________________ | To unsubscribe, edit your list preferences, or view the list archives, please visit: | http://list.valvesoftware.com/mailman/listinfo/hlds_linux -- B�rge Amundsen http://lv8pv.com _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
