lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030918190222.4670.qmail@sf-www3-symnsj.securityfocus.com>
Date: 18 Sep 2003 19:02:22 -0000
From: Alexander Hagenah <bugtraq@...mepage.de>
To: bugtraq@...urityfocus.com
Subject: Rcon Vulnerbility - Plaintext




--/ INTRODUCTION  --


Advisory           : rcon_plaintext
Release Date       : 18.September 2003
Application        : HLSW / rcon-console
Impact             : rcon passwords can be sniffed
Vendor Status      : No reply yet.
Author             : Alexander 'xaitax' Hagenah [ah@...mepage.de]
		     Adrian 'p0beL' Waloschyk [aw@...mepage.de]
                     powered by http://xaitax.de


--/    SUMMARY    --


There are many possibilites to administrate your Half-Life/Counter-
Strike Server.
The common is using 'rcon'. rcon can be controlled either in a 
console or by using a tool called HLSW. To authentificate on the 
server you send your password. The vulnerability is that rcon
isn't crypting the password, when it has been send. So it is sended
in plaintext and the server receives it in plaintext, too.
So there is no problem to sniff the password. A sniffer with some 
simple filter rules can find out rcon passwords fast and easily. 


--/   REPRODUCE   --

Setting up a filter rule with some easy things like
Protocol: UDP
Destination Port: 27015 (for example)
Strings: 'rcon' AND 'echo'

will show you the interesting frame fast and easily.
A successfull sniff will give you an output in the data field like 
this example:

<.>
  ....rcon 2228360  FF FF FF FF 72 63 6F 6E 20 32 32 32 38 33 36 30
  724 "lena" echo   37 32 34 20 22 6C 65 6E 61 22 20 65 63 68 6F 20
  HLSW: Test        48 4C 53 57 3A 20 54 65 73 74
<.>

--     PATCH     /--

There are no possibilities actually as far as we know.


- ( x a i t a x - s e c u r i t y ) -
http://xaitax.de


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ