Re: [VSA0304] Half-Life Client remote hole via Adminmod plugin

[3APA3A <3APA3A () SECURITY NNOV RU>]

Dear VOID.AT Security,


This  bug is not related to adminmod, but is rather the bug in Half Life
itself.  At  least  absolutely  same  problem is in amx plugin. amx_psay
%s%s%s%s causes same trouble.

So  this  is  a bug in HalfLife client and may be exploited by malicious
server  operator  (including  remote one with permissions to execute any
csay/psay  command,  rcon access is not actually required, it's possible
to  bind  malicious  amx_psay  command  to  some  key).  Since Half Life
protocol  is  not  secure  it's  very likely this bug potentially may be
exploited by any remote attacker while client is playing.


--Friday, January 10, 2003, 8:49:35 PM, you wrote to bugtraq () securityfocus com:

VAS> Note, the attacker needs to know the rcon-password.
VAS> However, it is easy to sniff since it is being transmitted
VAS> in plaintext.

<skipped>

VAS> blackboxed the admin_ssay and admin_psay commands.


-- 
~/ZARAZA
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)