Das möchte ich euch nicht vorenthalten (für alle die dachten MAM außerhalb des gameserver Ordners usw.), es ist - wie ich befürchtet hatte - weit weit schlimmer, es wundert mich sehr dass das nicht ausgenützt wird. Aber das liegt scheinbar daran das die ganze Kids alle gar nicht auf die Idee kommen mal außerhalb des gameserver Ordners zu suchen.
Hier zwei Mails:
Hey Aluigi,
First of all I want to thank you for the excellent information you
release regarding your exploits and stuff and even more for the fixes
you make public available!I don't want to steal your precious time, so just a quick question
regarding the q3dirtrav directory traversal exploit:As there doesn't seem to be any bugfix for the linux server files for
CoD4 servers, I need to know if the directory traversal exploit is
limited to the CoD4 servers' root folder, or if an attacker could also
read files above the gameservers root directory?
In the advisory there is a referrence to
"../../../../../../../etc/passwd" which would mean an attacker could
read any file the server-running user has access too. But while
researching on the internet I could not find any information about
CoD4 servers regarding this specific issue, I only read about getting
any files inside the gameservers root directory structure.Why I am asking this? I am going to have to setup a CoD4 server for
some people on Linux with sv_download enabled, I also will redirect to
a webserver for fast downloads, but as the client can simply deny
www-redirection he can still use the q3dirtrav exploit.
So is the attacker limited to the gameservers root directory
structure? Because that I can handle by changing config files names,
putting passwords only in startup parameters and disable logging on
startup and re-enable it later so the rcon doesn't show up inside
console_mp.log.
But if the attacker can read though the whole filesystem I would need
to find a more secure solution.Altogether after a bit of research CoD4 servers seem to be a pain in
the ass to secure properly - my list now consists of 4 specific
exploits / things to fix anyways ...
Thanks for your time Aluigi, I hope I made my question clear, I would
be really glad if you would answer
Best regards,
Leonardo
Antwort:
> In the advisory there is a referrence to
> "../../../../../../../etc/passwd"
being a directory traversal bug you can download any file in the system
that can be accessed by the user running the vulnerable software (cod4
server).so if that user can read /etc/passwd it can be get remotely too like
explained in bug B here:
http://www.securityfocus.com/archive/1/arch…/100/0/threadedusually people don't talk about this fact because they are interested
only to the server config file of the game ignoring this worst scenario.maybe chroot can do what you need, I have never tried it but it looks
like it's just its job.
---
Luigi Auriemma
http://aluigi.org
Zum kotzen... muss man jetzt tatsäclich versuchen seine CoD4 server in einer chroot Umgebung laufen zu lassen... das wird so unglaublich viele Probleme mit sich bringen das ich jetzt schon das Kotzen im Quadrat bekomme -.-