WOLFServers::Any Game Any Time!::Game Servers in about an Hour! - View Single Post

PY004 · 02-20-2009, 01:42 AM

You just need to install the beta versions (2.xx) instead of the official 1.5 release. The exploit doesn't seem to be widely know at this point, but I have seen it used against me couple times. I am unsure exactly how this exploit is run, but I do know that it's ES1.5 that's vulnerable. Using this vulnerability will allow the exploiter to change the rcon password to whatever they want. If it's necessary to run version 1.5, then you can install a eventscript plugin that will prevent your rcon password from being changed.

ES Plugin for anti RCON change: http://addons.eventscripts.com/addons/view/rcon_lock

Upon reviewing this thread, I realize it's about a crash exploit and not the server being hacked into to gain rcon. In that case, you have to make the server think the exploited commands are cheat commands and therefore, prevent its execution.

EXPLOIT 1

Command that should be blocked - These commands by themselves usually do not cause a crash, but may cause a lag spike. If these commands are spammed into the client console, it will either cause the server to lag horribly (and everyone will leave) or will crash the server. Note this exploit currently works on CS:S servers and is known to have been patched in TF2 and DOD:S update of Jan 29, 2009. There are currently many exploits for TF2, but since I do not run TF2 servers, I do not know what they are. In that case, this post will not help you.

rr_reloadresponsesystems
sv_soundemitter_flush
sv_soundemitter_filecheck
sv_findsoundname
sv_soundscape_printdebuginfo

Block
For TF2 and DOD:S - Steam update your servers.
For CSS: Block commands using ES2.0 and a custom plugin with the following code.

Code:

block load
{
es_flags add cheat rr_reloadresponsesystems
es_flags add cheat sv_soundemitter_flush
es_flags add cheat sv_soundemitter_filecheck
es_flags add cheat sv_findsoundname
es_flags add cheat sv_soundscape_printdebuginfo
}
 
block unload
{
es_flags remove rr_reloadresponsesystems
es_flags remove sv_soundemitter_flush
es_flags remove sv_soundemitter_filecheck
es_flags remove sv_findsoundname
es_flags remove sv_soundscape_printdebuginfo
}

EXPLOIT 2
A variation of this method of crashing the server is spamming the "timeleft" "nextmap" etc in client console. Although it takes a long time for this to work, it may eventually crash the server. This is called a channel overflow client disconnect exploit and a patch was released by many different people.

Block: Make a ES plugin with the following code. (Must have ES: Make a folder called antispam in your eventscript folder and make a text file called es_antispam.txt in it. Copy the code below into it and run es_load antispam in RCON or setup your cfg to load it each time server starts up)

Code:

block load
{
es_flags add cheat timeleft
es_flags add cheat ma_timeleft
es_flags add cheat nextmap
es_flags add cheat ma_nextmap
es_flags add cheat listmaps
}
 
block unload
{
es_flags remove cheat timeleft
es_flags remove cheat ma_timeleft
es_flags remove cheat nextmap
es_flags remove cheat ma_nextmap
es_flags remove cheat listmaps
}

Alternate method is to use this plugin for ES2.0.
http://forums.mattie.info/cs/forums/...er=asc&start=0

EXPLOIT 3
A DOS attack that I have seen being used is the one where the client sends about 25 zero sized packets every 0.1 seconds to the server. The server responds by sending nil sized packets back tot he clients, eventually lagging, making gameplay unplayable, or sometimes crashing the server. I believe the anti DOS plugin WolfServers deployed is the plugin that patches up this vulnerability. (The one made by Drunken F00l).

EXPLOIT 4 - No Solution I know of at this point.
There is one more exploit that I know of, but I am unsure of how to block it. Hence I will not release information on this exploit's nature on the forums. If one of the support staff in WolfServers wishes to take a look at the script I obtained from the exploiter, please pm me. If required, I can even get you in touch with the person who told me about this exploit and found me a sample copy to help block this issue.

I know it's not much, and many of you probably already know about this issue, but I hope it helps those who don't know about it yet. I also know some of these fixes are not absolute and can be bypassed. I hope eventually someone with good knowledge on srcds will make a plugin or something that will work definitively.

02-20-2009, 01:42 AM	#8
PY004 Junior Member Join Date: Jul 2008 Posts: 29	You just need to install the beta versions (2.xx) instead of the official 1.5 release. The exploit doesn't seem to be widely know at this point, but I have seen it used against me couple times. I am unsure exactly how this exploit is run, but I do know that it's ES1.5 that's vulnerable. Using this vulnerability will allow the exploiter to change the rcon password to whatever they want. If it's necessary to run version 1.5, then you can install a eventscript plugin that will prevent your rcon password from being changed. ES Plugin for anti RCON change: http://addons.eventscripts.com/addons/view/rcon_lock Upon reviewing this thread, I realize it's about a crash exploit and not the server being hacked into to gain rcon. In that case, you have to make the server think the exploited commands are cheat commands and therefore, prevent its execution. EXPLOIT 1 Command that should be blocked - These commands by themselves usually do not cause a crash, but may cause a lag spike. If these commands are spammed into the client console, it will either cause the server to lag horribly (and everyone will leave) or will crash the server. Note this exploit currently works on CS:S servers and is known to have been patched in TF2 and DOD:S update of Jan 29, 2009. There are currently many exploits for TF2, but since I do not run TF2 servers, I do not know what they are. In that case, this post will not help you. rr_reloadresponsesystems sv_soundemitter_flush sv_soundemitter_filecheck sv_findsoundname sv_soundscape_printdebuginfo Block For TF2 and DOD:S - Steam update your servers. For CSS: Block commands using ES2.0 and a custom plugin with the following code. Code: block load { es_flags add cheat rr_reloadresponsesystems es_flags add cheat sv_soundemitter_flush es_flags add cheat sv_soundemitter_filecheck es_flags add cheat sv_findsoundname es_flags add cheat sv_soundscape_printdebuginfo } block unload { es_flags remove rr_reloadresponsesystems es_flags remove sv_soundemitter_flush es_flags remove sv_soundemitter_filecheck es_flags remove sv_findsoundname es_flags remove sv_soundscape_printdebuginfo } EXPLOIT 2 A variation of this method of crashing the server is spamming the "timeleft" "nextmap" etc in client console. Although it takes a long time for this to work, it may eventually crash the server. This is called a channel overflow client disconnect exploit and a patch was released by many different people. Block: Make a ES plugin with the following code. (Must have ES: Make a folder called antispam in your eventscript folder and make a text file called es_antispam.txt in it. Copy the code below into it and run es_load antispam in RCON or setup your cfg to load it each time server starts up) Code: block load { es_flags add cheat timeleft es_flags add cheat ma_timeleft es_flags add cheat nextmap es_flags add cheat ma_nextmap es_flags add cheat listmaps } block unload { es_flags remove cheat timeleft es_flags remove cheat ma_timeleft es_flags remove cheat nextmap es_flags remove cheat ma_nextmap es_flags remove cheat listmaps } Alternate method is to use this plugin for ES2.0. http://forums.mattie.info/cs/forums/...er=asc&start=0 EXPLOIT 3 A DOS attack that I have seen being used is the one where the client sends about 25 zero sized packets every 0.1 seconds to the server. The server responds by sending nil sized packets back tot he clients, eventually lagging, making gameplay unplayable, or sometimes crashing the server. I believe the anti DOS plugin WolfServers deployed is the plugin that patches up this vulnerability. (The one made by Drunken F00l). EXPLOIT 4 - No Solution I know of at this point. There is one more exploit that I know of, but I am unsure of how to block it. Hence I will not release information on this exploit's nature on the forums. If one of the support staff in WolfServers wishes to take a look at the script I obtained from the exploiter, please pm me. If required, I can even get you in touch with the person who told me about this exploit and found me a sample copy to help block this issue. I know it's not much, and many of you probably already know about this issue, but I hope it helps those who don't know about it yet. I also know some of these fixes are not absolute and can be bypassed. I hope eventually someone with good knowledge on srcds will make a plugin or something that will work definitively.