Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Game)  >   Half-Life Vendors:   Valve Software
Half-Life 'rcon' Remote Console Sends Passwords in Clear Text
SecurityTracker Alert ID:  1007753
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 19 2003
Impact:   Disclosure of authentication information
Exploit Included:  Yes  

Description:   A vulnerability was reported in the Half-Life 'rcon' remote console. The software transmits passwords in clear text.

xaitax security reported that a remote user that can monitor the network between a target user's 'rcon' console and the Half-Life/Counter-Strike Server can obtain the target user's password.

The vendor has reportedly been notified.

Impact:   A remote user that can monitor the network can sniff 'rcon' user passwords.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error

Message History:   None.

 Source Message Contents

Subject:  Rcon Vulnerbility - Plaintext


Advisory           : rcon_plaintext
Release Date       : 18.September 2003
Application        : HLSW / rcon-console
Impact             : rcon passwords can be sniffed
Vendor Status      : No reply yet.
Author             : Alexander 'xaitax' Hagenah []
		     Adrian 'p0beL' Waloschyk []
                     powered by

--/    SUMMARY    --

There are many possibilites to administrate your Half-Life/Counter-
Strike Server.
The common is using 'rcon'. rcon can be controlled either in a 
console or by using a tool called HLSW. To authentificate on the 
server you send your password. The vulnerability is that rcon
isn't crypting the password, when it has been send. So it is sended
in plaintext and the server receives it in plaintext, too.
So there is no problem to sniff the password. A sniffer with some 
simple filter rules can find out rcon passwords fast and easily. 

--/   REPRODUCE   --

Setting up a filter rule with some easy things like
Protocol: UDP
Destination Port: 27015 (for example)
Strings: 'rcon' AND 'echo'

will show you the interesting frame fast and easily.
A successfull sniff will give you an output in the data field like 
this example:

  ....rcon 2228360  FF FF FF FF 72 63 6F 6E 20 32 32 32 38 33 36 30
  724 "lena" echo   37 32 34 20 22 6C 65 6E 61 22 20 65 63 68 6F 20
  HLSW: Test        48 4C 53 57 3A 20 54 65 73 74

--     PATCH     /--

There are no possibilities actually as far as we know.

- ( x a i t a x - s e c u r i t y ) -


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC