There is also a remote exploit out there which doesn't even involve connecting to the server (under Linux only). I was involved in some tests yesterday :-). The people who have actually found the problem and have the suspect packet(s) are mailing Valve soon I think. The symptoms were that the server stopped responding on the console and to connections and it proceeded to max out the CPU.
--------------------------------------- Chris Adams Fragzzhost T (07005) 964 855 F (07005) 964 857 www.fragzzhost.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alfred Reynolds Sent: 08 February 2005 21:35 To: hlds_linux@list.valvesoftware.com Subject: RE: [hlds_linux] Remote exploit causes Linux server to crash! Valve, please read Aha, a way to reproduce the problem! Just what we needed, I will pass this on to the team :) - Alfred ----Original Message---- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of The Fool Sent: Tuesday, February 08, 2005 7:49 AM To: hlds_linux@list.valvesoftware.com Subject: Re: [hlds_linux] Remote exploit causes Linux server to crash! Valve, please read > Funny. Am i right if i say that the server tries to disconnect a > non-existing user? > I mean he connects, disconnects fast, server catches he's banned, > server triesd to disconnect, but, the user is already disconnected == > application error? > > Or... it's just not so easy? :) > > > > Starting a new thread, this really needs to be addressed by Valve. > > > > > Its a known bug amongst us who run the servers, but Alfred wont > > > fix it until someone can duplicate it. If a person is banned, > > > the server can be crashed at will by these kids by repeated > > > rejoin attempts. > > > > You were absolutely right. I discovered from log parsing that the > > same person from IP 63.197.68.40 (STEAM_0:0:6023457) has been > > crashing my server every day for a month since he was banned. > > However, I think the problem is worse than a DoS -- he is able to > > do it in one fast connect/disconnect attempt from the look of my > > logs. It's definitely him though, because every time the server > > gets a segmentation fault, it is him who join/parted immediately > > before. > > > > My guess is that the join flooding is a red herring -- the script > > does that until the exploit works, but isn't the cause of the crash > > itself. > > > > This needs to be addressed ASAP by Valve. I am very concerned that > > this may have the possibility to be exploited as remote code > > execution if it is a buffer overflow from malformed packets. What > > do I need to do to prove this is a critical exploit in server code > > to Valve? Would packet captures from his IP help? This loser has > > been doing this *every* day for a month! He is now blocked from > > the firewall, but this is a reactionary defense. This bug NEEDS to > > be fixed. > > > > > > > > L 02/06/2005 - 00:28:23: "{ D-MOB } kiLLAZ<355><STEAM_ID_PENDING><>" > > connected, address "63.197.68.40:27005" > > LLAZ] [STEAM_ID_PENDING] > > L 02/06/2005 - 00:28:24: "{ D-MOB } kiLLAZ<355><STEAM_ID_PENDING><>" > > disconnected (reason "Disconnect by user.") Dropped { D-MOB } > > kiLLAZ from server Reason: Disconnect by user. > > /home/cjones/local/steam/srcds_run: line 423: 16168 Segmentation > > fault $HL_CMD > > > > > > > > -- > > Chris > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list > > archives, please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list > archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
