Yay, so where no servers were being attacked with this before, everyone will do it now.
----- Original Message ----- From: "Cruise" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 21, 2002 10:09 AM Subject: [hlcoders] Fwd: Half-life fake players bug > -----BEGIN PGP SIGNED MESSAGE----- > Hash: MD5 > > This went out on BugTraq earlier...figured people here might be > interested... > > I have the attachment he mentions in the mail (won't be allowed on > this list), so if anyone wants it, let me know. > > [ cruise / www.casual-tempest.net / www.transference.org ] > > - ---- > ###################################################################### > > Application: Half-life (and all the mods that run on it) > Version: All the versions (1.1.0.9 vulnerable too) > Bug: Wrong management of the players in multiplayer game > Risk: The multiplayer server can be filled with fake players, > so nobody can play in that server. > Author: Auriemma Luigi (e-mail: bugtest at sitoverde.com) > > ###################################################################### > > > 1) Introduction > 2) Bug > 3) The Code > 4) Fix > 5) Philosophy > > - --- > > 1) Introduction > > This bug has been showed to Valve and the support of Sierra at the > following mail addresses over 1 month ago: [EMAIL PROTECTED] > and [EMAIL PROTECTED] > Unfortunally nobody has answer to my mails (2 mails to Valve), but > I have decided to publish this all the same so if Valve don't release > patch somebody else can try to solve the problem... > > - --- > > 2) Bug > > The protocol of Half-life multiplayer server is simple, and I have > seen that it is really similar to the Quake3 protocol, but this last > is compressed or ciphred. > However the handshake beetween the client and the server (default port > 27015) is the following: > > - - the client send an UDP datagram to the server with the a challenge > request. > The request is: "\xff\xff\xff\xffgetchallenge\n" > > - - the server send the key of the current challenge to the client. > This key change when Halflife start. > (a little strange thing is that the key sended by the server is an > unsigned int but the client read it as an int (???)) > > - - the client now have the key so for complete the handshake it send > the connection request: > "connect %protocol %challenge_key %cd_key %player_info" > > %protocol can be get by querying the server with an info request > but it is not useful, the %challenge_key was get, the %cd_key is > a key generated with the cd key inserted during the installation. > With a same %cd_key, in the same server can play max 4 players, so > we use a key filled with random chars and we can insert infinite > player from the same IP. > EACH PLAYER MUST HAVE AN UDP SOURCE PORT DIFFERENT!!! > %player_info is a set of not important options to send to the > server for give info about the new player. > > - - now the handshake is finished and for the server a new player is > entered, but it is WRONG!!! > Now the server answer with an acknowledgement, where we can see > our IP and our port. > If the server have reached the maximum number of players, it will > answer with "Server Full", and if the challenge_key that we have > sended to it is wrong, it will answer with "Bad Challenge". > > Naturally exist a timeout for the players connected to the server > and it is 60 seconds (default). > So every 60 secs (or less) the attacker can "create" new players so > the server will be filled forever and the real players that want to > play in it will receive a "Server full" message. > The server admin can only see that the maximum number of players is > reached, but when he watch the names of the players in his server, he > found nobody! > > - --- > > 3) The Code > > I have attached a proof-of-concept of the attack that run on Linux > and Win. > Other detailed info about the attack can be found in the code. > The UDP packets are not spoofeds but we can control the real > situation on the server, because it send to us messages as "Server > full" and "Bad challenge" if the key as changed (this key change every > time that Half-Life is started). > A spoofed version of the code is possible but, as I have explained > before, we cannot control if the server is up, if the maximum number of > players has been reached, if the key is changed, and others. > I have also attached an utility for see info about the Half-life > servers only for fun. > > - --- > > 4) Fix > > No official fix available. > > A possible fix is to set a password, so only if someone know it can > attack the server, because if the attacker don't know the password, > the server will answer with "BADPASSWORD". > > - --- > > 5) Philosophy > > It's not rigth to post an advisory if there are not patches or > tricks to fix the bug, but I think that this is a good method to show > the problem to the community. > Then the Valve team don't have answer to me and I hope that this > advisory can get their attention. > I'm really hopeful about the full disclosure, because with that > "everyone" can know the real effects of an attack, the real danger of > a bug, someone can learn a bit of programming (I have learn a bit of > C from the source code of some exploits) and it's useful for all the > people that are hopeful in this type of disclosure. > No secrets! > > - --- > > Any type of feedback is really welcome! > > Byez > > - --- > Crea, espandi e gestisci la tua mail da numero verde, senza scatti telefonici ! > Questo ed altri servizi da numero verde solo su http://www.sitoverde.com > Info promozioni web Aziende: 011 274 10 92 [EMAIL PROTECTED] > > -----BEGIN PGP SIGNATURE----- > Version: 2.6 > > iQCVAwUAPRLtVPdi0Z5STRufAQGkYwP8CZ1grN+RRL4d96ad51uv/jmHyXcFNEqu > n8+rGjCSnHgl3ikbqc7frvTSyzuxBkPAX5yeP0rLHMBhuD3hDztvIvcQyHG90K2L > uSR44BUtEGPytTmMasKyppRj9T9uVsSAnUBVzdylJnrq6qsP4yGB3RzhF2xb5jft > 9YIVuFcKIAc= > =/Gcp > -----END PGP SIGNATURE----- > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlcoders > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlcoders
