Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
Staying out of cstrike directory renders startup scripts secure so I've put my users.ini file outside cstrike (users_file "../users.ini") and I've tried to retrieve it. I've also changed my server.cfg to something like jfrfhruehfrhfr.cfg Anyway I have faith that Alfred will fix asap it as I've noticed the new blood that flows in Valve's veins. Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania - Original Message - From: "Florian Zschocke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 2:13 PM Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS > [FAW]Terran wrote: > > > I didn't follow the entire thread. But if I can download the adminmod.cfg > > all i have to do is to take a look into it and i will know the location of > > the users.ini file... > > The advisory says that you can only download files from below the > game directory (e.g. cstrike) or the valve directory. From that I > am assuming that a relative path leading out of those would not > work. This is something that had been fixed by Valve in a > different context some time ago. But I haven't tested this myself > yet, so I can't say for sure if you can download files from above > those directory with the method described. > > Florian. > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
That's in fact a brilliant idea :) - Original Message - From: "Florian Zschocke" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 20, 2003 12:27 PM Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS > Emanuel Harangus wrote: > > I could dl addons/adminmod/config/users.ini .. addons/metamod/plugins.ini > > The server.cfg seems to fail as exists in hdd. > > I disabled allowdownload and allowupload untill further news about fixing > > the exploit. > > As for Admin Mod: you can move the Admin Mod config files like > users.ini to a directory above the game directory so that a > download will not work anymore. You just have to specify the path > in the adminmod.cfg file accordingly. Example: > > addons/adminmod/config/adminmod.cfg: > users_file ../../adminmod/config/users.ini > > And the tree: > > -- somedir >|-- hlds >| |-- cstrike >| \-- valve >| >\-- adminmod > \-- config > \-- users.ini > > (I hope you use a fixed width font to read your email or you may > not see the tree drawing correctly.) > > Florian. > > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
I could dl addons/adminmod/config/users.ini .. addons/metamod/plugins.ini The server.cfg seems to fail as exists in hdd. I disabled allowdownload and allowupload untill further news about fixing the exploit. Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server information leak and DoS
I surely couldn't download server.cfg file. I tried to remove them from my
client and download server.cfg again and it failed.
Emanuel 'Rygars' Harangus
Technical Manager,
Professional Gamers League Romania
- Original Message -
From: "Alastair Grant" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, November 20, 2003 1:30 AM
Subject: Re: [hlds_linux] [Full-Disclosure] Half Life dedicated server
information leak and DoS
> You can't seem to download the server.cfg file. I've tried it on my
> servers and it won't work.
>
> Also it won't download anything below your mod directory, which is good
> news. I tried downloading hlds_run and /etc/passwd both failed.
>
> Although you can download other files. Please could somebody confirm
> downloading of the server.cfg doesn't work.
>
> I'm currently got the rcon password in the command line run for the
> server so it's not written down. This of course is not an option if you
> are on a shared box; as people can see the password in the process
listing.
>
> Simon Street wrote:
> > And fwed here.
> >
> > Ignore if you don't care etc etc...
> >
> > -Original Message-
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Russell
> > Sent: 19 November 2003 20:41
> > To: [EMAIL PROTECTED]
> > Subject: [hlds] [CRITICAL] Fw: [Full-Disclosure] Half Life dedicated
server
> > information leak and DoS
> >
> >
> > Forwarded to [EMAIL PROTECTED] as i feel it has some relevance
and
> > you server admins need to protect yourselves.
> >
> > Tested and confirmed (for files other than server.cfg) on TFC.
> >
> > I believe in full disclosure.
> >
> > - Original Message -
> > From: "3APA3A" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, November 19, 2003 4:07 PM
> > Subject: [Full-Disclosure] Half Life dedicated server information leak
and
> > DoS
> >
> >
> >
> >>
> >>Probably is known, but is not documented:
> >>
> >>Vendor: Valve software
> >>Software: hlds, all versions (including steam).
> >>Problem: Information leak, DoS
> >>Author: SYZo[SND]
> >>
> >>Problem:
> >>
> >>in server configuration, if allowdownload = 1, it's possible to
> >>download any file from directory of the current game (cstrike was
> >>tested) or from 'valve' directory from server. Allowdownload is
> >>required to allow clients to retrieve new maps from server.
> >>
> >>Impact:
> >>
> >>It's possible to download configuration files (like server.cfg,
> >>configuration files for different mods, etc) with sensitive
> >>information, including passwords. Additionally, downloading large
> >>file (for example
> >>map) causes server to crash.
> >>
> >>"Exploit":
> >>
> >> cmd dlfile server.cfg
> >> cmd dlfile addons/amx/users.ini
> >> cmd dlfile addons/amx/mysql.cfg
> >> cmd dlfile maps/de_torn.bsp
> >>
> >>Workaround:
> >>
> >> disable downloads.
> >>
> >>--
> >>http://www.security.nnov.ru
> >> /\_/\
> >>{ , . } |\
> >>+--oQQo->{ ^ }<-+ \
> >>| ZARAZA U 3APA3A } You know my name - look up my number (The
> >
> > Beatles)
> >
> >>+-o66o--+ /
> >>|/
> >>
> >>___
> >>Full-Disclosure - We believe in it.
> >>Charter: http://lists.netsys.com/full-disclosure-charter.html
> >>
> >
> >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
> > please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
> >
> >
> > ___
> > To unsubscribe, edit your list preferences, or view the list archives,
please visit:
> > http://list.valvesoftware.com/mailman/listinfo/hlds_linux
> >
> >
>
> --
> Wireplay Official
> http://www.wireplay.co.uk/
>
> ___
> To unsubscribe, edit your list preferences, or view the list archives,
please visit:
> http://list.valvesoftware.com/mailman/listinfo/hlds_linux
___
To unsubscribe, edit your list preferences, or view the list archives, please visit:
http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] server.cfg not exec'ing at map change
Thank you. It's working. I've added mapchangecfgfile "server.cfg" in server.cfg and it's real :) Emanuel 'Rygars' Harangus Technical Manager, Professional Gamers League Romania - Original Message - From: "Terrance Thornsley" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, November 19, 2003 10:38 AM Subject: Re: [hlds_linux] server.cfg not exec'ing at map change > I use the following commandline on the latest hlds, and have no problems > with it running the config correctly: > ./hlds_run -game cstrike +exec server.cfg +port 27015 +map > de_dust -autoupdate +mapchangecfgfile "server.cfg" +pingboost 3 > > Terry ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] HLTV recordings?
The demos are saved into cstrike directory or MOD directory 3.1.1.1x does that. - Original Message - From: "Nander Paardekooper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 2:59 PM Subject: Re: [hlds_linux] HLTV recordings? This is a multi-part message in MIME format. -- [ Picked text/plain from multipart/alternative ] No, they are not... They are saved in the "cstrike" directory... - Original Message - From: Tristan To: [EMAIL PROTECTED] Sent: Monday, 01 September, 2003 13:50 Subject: Re: [hlds_linux] HLTV recordings? As far as I know, they're actually saved to wherever the hltv executable is -Tristan - Original Message - From: "Nander Paardekooper" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 11:35 PM Subject: Re: [hlds_linux] HLTV recordings? This is a multi-part message in MIME format. -- [ Picked text/plain from multipart/alternative ] hlds_l\cstrike - Original Message - From: Hambalek Regis CH [FAT] To: '[EMAIL PROTECTED]' Sent: Monday, 01 September, 2003 13:20 Subject: [hlds_linux] HLTV recordings? This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. -- [ Picked text/plain from multipart/alternative ] I managed to get HLTV running but I just can't find where the recorded files are saved. The hltv process works fine, even when record command is started, I juste can't find any file in hlds subfolders... anyone got an idea? RĂ©gis Hambalek. -- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux -- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux -- ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] director_i386.so no where around
forget about it.. if you would put the file in cstrike/dlls/ you would get hltv to crash - Original Message - From: "Hambalek Regis CH [FAT]" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, September 01, 2003 12:35 PM Subject: [hlds_linux] director_i386.so no where around > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > -- > [ Picked text/plain from multipart/alternative ] > I have problems running hltv after upgrading to 3.1.1.1d, and one of the > reason is director_i386.so is no where around my hlds folder. > Could any one say me why, or which file should be downloaded and install if > hlds_l_3111d_update.tar.gz is not enough? > > Thx > > REGIS HAMBALEK. > > -- > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] test
me too... I tried to re-subscribe and I've ended up in getting "your are alreay subscribed". The other lists are working alright but hlds-linux. Maybe it's their fault ;) HLDS_LIST 3.1.1.1a :P ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] HLDS Console *SIMPLE* Feature Request
Sixth!! - Original Message - From: "Adam 'Starblazer' Romberg" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 10, 2003 3:27 AM Subject: RE: [hlds_linux] HLDS Console *SIMPLE* Feature Request > Fifth! > > -a- > > > > Adam 'Starblazer' Romberg Appleton: 920-738-9032 > System Administrator > ExtremePC LLC-=- http://www.extremepcgaming.net > > On Sat, 9 Aug 2003, Matt Gossage wrote: > > > I fourth it :-) > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
Re: [hlds_linux] Security hole known to Valve for months ??
How true you are! :( - Original Message - From: "wandlampe" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, July 31, 2003 7:06 PM Subject: RE: [hlds_linux] Security hole known to Valve for months ?? > > But indeed it would be nice to know the 'why' of not fixing it during 4 > > months of knowing this security hole. Although this exploit was not very > > known 'out-in-the-open' it didn't mean a less serieus exploit. > > > > Regards, > > > > Rolph Haspers > > GameServers.Net > > > Well, the guy who published the proof-of-concept-exploit did us a big > favour i think... > > If he hadn't released it, Valve would have done a shit about that > hole... > > Next time, perhaps a Blackhat finds the hole, and not just some nice guy > who hasn't got any interest at all in breaking/overtaking servers... > > Think about it... > > Greetings > > > ___ > To unsubscribe, edit your list preferences, or view the list archives, please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux ___ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
