Re: [VSA0304] Half-Life Client remote hole via Adminmod plugin

2003-01-11T00:00:00
ID SECURITYVULNS:DOC:3967
Type securityvulns
Reporter Securityvulns
Modified 2003-01-11T00:00:00

Description

Dear VOID.AT Security,

This bug is not related to adminmod, but is rather the bug in Half Life itself. At least absolutely same problem is in amx plugin. amx_psay %s%s%s%s causes same trouble.

So this is a bug in HalfLife client and may be exploited by malicious server operator (including remote one with permissions to execute any csay/psay command, rcon access is not actually required, it's possible to bind malicious amx_psay command to some key). Since Half Life protocol is not secure it's very likely this bug potentially may be exploited by any remote attacker while client is playing.

--Friday, January 10, 2003, 8:49:35 PM, you wrote to bugtraq@securityfocus.com:

VAS> Note, the attacker needs to know the rcon-password. VAS> However, it is easy to sniff since it is being transmitted VAS> in plaintext.

<skipped>

VAS> blackboxed the admin_ssay and admin_psay commands.

-- ~/ZARAZA Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)