Re: [hlds_linux] Overflow attack to Source servers

Wed, 13 Jun 2012 05:40:44 -0700 

It worked perfectly! Simple attack, simple solution.
Never thought of this ways, now it seems so obvious XD
I made plugins and searched for the most strange ways of solving it, yet it was "single-line" simple ^^ 


Well, it disables status, but that's a minimal sacrifice (SMAC provides 
a secure alternative also, so there's no problem at all).
I will spread this through the servers I know: each and every one is 
victim of this issue, that makes over a dozen grateful servers & 
communities, many thanks ^^



I've checked this happens without any mods, so some official attention 
on this would be the perfect happy ending, but this workaround solves 
the problem so everything fine!


El 13/06/2012 4:04, 1nsane escribió:

While not a good solution at all. Have you tried aliasing status to nothing?

"alias status"

This will obviously disable the status command entirely. But perhaps it
won't kill the server then?

On Tue, Jun 12, 2012 at 7:49 PM, Alvaro Gutierrez Lorenzo<
[email protected]>  wrote:


Sorry for the "double mail", I just though that if the fix for that
removed the cooldown time for status, there would be no protection over
this command, making possible this attack.
Invalid Protocol mentionned this protection on an earlier mail.

Is it a silly idea? I've never experienced such cooldown protection, that
would explain why.


El 13/06/2012 1:31, Joe Brown escribió:


This was used (and may still be) in hacks as a way to stop admins from
using the status command to see your STEAMID in the client console.
Spamming it like that blocked all clients connected to the server from
being able to use the status command, preventing or extending the time it
takes to ban someone.

Correct me if I'm wrong but I thought the was fixed in an update.

  Date: Wed, 13 Jun 2012 01:23:23 +0200

From: [email protected]
To: [email protected].**com<[email protected]>
Subject: Re: [hlds_linux] Overflow attack to Source servers

That's a critical detail I forgot to mention, so  sorry: RCON is port
closed, so every attempt to access RCON gives a "Time Out".

I'm totally sure it's "status", here I paste an excerpt from the SMAC
log, made just by the same plugin you suggest:

Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
Sat Mar 31 14:56:34 2012: Console<0><Console><Console>   executes: status
...

(Well an this goes on for thousands and thousands of lines, making
pretty ~1GB files each day XD)

I added status as a SMAC blocked command, still no luck. (used
smac_addcmd as stated in the link you provided, but as you say SMAC wont
block commands coming from the server).

The command can be captured and processed prom a plugin, but in every
teast I made I always got client 0 (console) as the triggerer, (of
course testing from the game, through a clean client account, not from
console). I think the server has never blocked me from executing status,
even reproducing the attack (which is just spamming status from a game's
client console).

The server would block it surely if it was marked as client triggered.
At least where I can personally try (TF2 dedicated, Linux), it's always
executed as from console. Some other server owners are working with me
on this, and this works like this on their's too (CSS and CSGO confirmed
to be vulnerable to this attack too).

Something that comes to my mind is if some "lower" addon like Metamod
is actually always deflecting this command through the console; I need
to try again on a clean install to check it.


______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>



______________________________**_________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux>


_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux



_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please 
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux






















					Reply via email to