Security Warning

CheesyPetezaCheesyPeteza Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
edited November 2003 in General Server Discussion
<div class="IPBDescription">All server admins read please</div> Someone just posted to the hlds mailing list how to download any file from a server with sv_allowdownload 1 from the mod folder and above, plus valve folder and above.

This means they can download server.cfg, addons/amx/users.ini, your log files, anything they want.

I suggest you set sv_allowdownload to 0 immediately. (note the server.cfg included with ns incorrectly spells the command sv_allowdownload<b>s</b>). Also change your rcon password just in case someone has already taken it from one of your config/log files.

To do this it only takes a very simple console command on the client that any fool could do. I suggest you take action immediately.

Comments

  • RPMayhemRPMayhem Join Date: 2003-10-28 Member: 22075Members
    Thanks for the heads up! I'll have to change that ASAP.
  • Night_ShadeNight_Shade Join Date: 2003-03-28 Member: 14985Members, Constellation
    According to the post on full-disclosure, it's also possible to crash the server by downloading a large file, such as valve/pak0.pak.

    All it'd take would be some lamer to keep downloading it and retrying to DoS your server.
  • PinheddPinhedd Join Date: 2003-03-14 Member: 14505Members
    hmm, I didn't even know it was possible to have clients request a download, is it a console command, I am a competent amx scripter and may be able to write something to reroute the command.
  • CheesyPetezaCheesyPeteza Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
    edited November 2003
    You'd have to stop the client from using the command "cmd". You'd have to stop people using the command while they are connecting to your server, before they actually get in game aswell.
  • PinheddPinhedd Join Date: 2003-03-14 Member: 14505Members
    then I dont think it can be done, seeing as it seems like its done before amx client control kicks in, maybe something serverside?
  • CheesyPetezaCheesyPeteza Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
    Certain cheats stop the server from executing commands on the client anyway. For 100% protection just put sv_allowdownload 0. They are releasing a patch for WON hlds which is nice, shame its for 3111 though.
  • EvisceratorEviscerator Join Date: 2003-02-24 Member: 13946Members, Constellation
    If you did the following:

    sv_allowdownload 0
    sv_send_logos 1
    sv_send_resources 1

    Would this allow custom decals to exist, and also allow people to download maps and other goodies when the map changes and they don't currently have them? IE, all of the cases where you want downloads to occur but still disable the download command so as to thwart this exploit?

    Has anyone tried the above config and seen it work okay?
  • devicenulldevicenull Join Date: 2003-04-30 Member: 15967Members, NS2 Playtester, Squad Five Blue
    edited November 2003
    Just a question, whats the hlds mailing list, where can I sign up? I was signed up before, but I can no longer find it
    NM- I RTFM
  • TheGlennTheGlenn Join Date: 2003-05-22 Member: 16613Members
    There is already a fix for Steam Servers available.

    Any news about a "hlds_l_3111e_update.tar.gz"?

    Cheers, Glenn.
  • billcatbillcat Join Date: 2002-11-02 Member: 4903Members, Constellation
    Last I checked, valve made it pretty clear on the HLDS mailing list that they aren't going to be updating 3111 anymore. Several people bitched but their movement/work is all on steam these days.

    Yet another reason to upgrade to steam. Not that I'm saying it's perfect/good.
  • AndyonceAndyonce Join Date: 2003-08-16 Member: 19799Members
    edited November 2003
    From the hlds_announce mailing list:

    <!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->We have released an updated dedicated server engine binary. This update
    fixes the exploit published by SYZo[SND] (release on Wednesday). The
    update also contains a fix for kick messages not being displayed in the
    UI properly.

    This release is not mandatory so you will need to manually update at
    your convience.

    A full changelog can be viewed at:
    Windows <a href='http://www.steampowered.com/platform/update_history/Dedicated%20Server.html' target='_blank'>http://www.steampowered.com/platform/updat...d%20Server.html</a>
    Linux <a href='http://www.steampowered.com/platform/update_history/Linux%20Dedicated%20Server.html' target='_blank'>http://www.steampowered.com/platform/updat...d%20Server.html</a>

    <b>A fix for 3.1.1.1 (WON) is in progress, for now make sure you set
    "sv_allowdownload 0" on your 3.1.1.1 (WON) servers.</b>

    - Alfred<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
  • TheGlennTheGlenn Join Date: 2003-05-22 Member: 16613Members
    <!--QuoteBegin--Andyonce+Nov 21 2003, 05:22 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Andyonce @ Nov 21 2003, 05:22 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->From the hlds_announce mailing list:

    <!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->
    <b>A fix for 3.1.1.1 (WON) is in progress, for now make sure you set
    "sv_allowdownload 0" on your 3.1.1.1 (WON) servers.</b>

    - Alfred<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd--><!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
    Any news?

    Cheers, Glenn.
  • CheesyPetezaCheesyPeteza Join Date: 2002-11-24 Member: 9784Members, NS1 Playtester, Constellation
    Alfred said it takes a long time and it is not their highest priority a day or two ago.
  • BonelessBoneless Join Date: 2002-09-03 Member: 1270Members
    edited November 2003
    <!--QuoteBegin--Eviscerator+Nov 21 2003, 07:00 PM--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> (Eviscerator @ Nov 21 2003, 07:00 PM)</td></tr><tr><td id='QUOTE'><!--QuoteEBegin--> If you did the following:

    sv_allowdownload 0
    sv_send_logos 1
    sv_send_resources 1

    Would this allow custom decals to exist, and also allow people to download maps and other goodies when the map changes and they don't currently have them?  IE, all of the cases where you want downloads to occur but still disable the download command so as to thwart this exploit?

    Has anyone tried the above config and seen it work okay? <!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
    If u set sv_allowdownload 0 this override and disable the sv_send_ cvars....

    Better try:

    sv_allowdownload 1
    sv_send_logos 1
    sv_send_resources 0

    But I don't know if this is a valid workaround for the exploit...
Sign In or Register to comment.