Latest news
Date Published: 16th October 2000
Advisory ID: N/A
Bugtraq ID: 1799
http://www.securityfocus.com/bid/1799
CVE CAN: N/A
Title: Half-Life Dedicated Server Vulnerability
Class: Buffer Overflow
Remotely Exploitable: Yes
Locally Exploitable: Yes
Release Mode: FORCED RELEASE
This vulnerability is actively being exploited in the wild.
Vulnerable Packages/Systems:
Half-Life Dedicated Server for Linux 3.1.0.3 & Previous
Vulnerability Description:
A buffer overflow vulnerability was discovered in a Half-Life dedicated server during a routine security audit. A user shell was found running on the ingreslock port of the server which lead to an investigation into how this had been achieved. - From the logs left on the server, it was ascertained that a predefined exploit script was used and that the perpetrator failed to further compromise the server due to the Half-Life software running as a non-priveledged user.
The vulnerability appears to exist in the changelevel rcon command and does not require a valid rcon password. The overflow appears to exist after the logging function as the following was found in the last entries of the daemon's logs:-
# tail server.log.crash | strings
L 08/23/2000 - 23:28:59: "[CiC]Foxdie<266>" say "how so?"
Bad Rcon from x.x.x.x:4818:
rcon werd changelevel
bin@
sh!@
Privet ADMcrew\
rcon werd changelevel
The actual raw exploit code is logged, along with what appears to be the script authors, ADM ( http://adm.freelsd.net/ADM/ ). If they could shed some light on this?
Solution/Vendor Information/Workaround:
Valve Software promised a patch which has yet to appear. Interim measures would include:-
A) Consider not running the HalfLife software at all!
B) Remove the world execute bit from inetd to 'break' the exploit code - this would only stop the script kiddies
C) Ensure sane ipfwadm/ipchains filters are inplace
Vendor notified on: 14th September 2000
Credits:
Credit for the vulnerability discovery presumably lies with ADM. :) The forensic work which discovered this problem was performed by Mark Cooper.
This advisory was drafted with the help of the SecurityFocus.com Vulnerability Help Team. For more information or assistance drafting advisories please mail vulnhelp@securityfocus.com.
Exploit/Concept Code:
Try http://adm.freelsd.net/ADM/ ?
Referance: http://www.valvesoftware.com
DISCLAIMER:
No responsibility whatsoever is taken for any correct/incorrect use of this information. This is for informational purposes only.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
