Half-Life 'rcon' Remote Console Sends Passwords in Clear Text
SecurityTracker Alert ID: 1007753|
SecurityTracker URL: http://securitytracker.com/id/1007753
(Links to External Site)
Date: Sep 19 2003
Disclosure of authentication information|
Exploit Included: Yes |
A vulnerability was reported in the Half-Life 'rcon' remote console. The software transmits passwords in clear text.|
xaitax security reported that a remote user that can monitor the network between a target user's 'rcon' console and the Half-Life/Counter-Strike Server can obtain the target user's password.
The vendor has reportedly been notified.
A remote user that can monitor the network can sniff 'rcon' user passwords.|
No solution was available at the time of this entry.|
Vendor URL: half-life.sierra.com/ (Links to External Site)
Access control error|
Source Message Contents
Subject: Rcon Vulnerbility - Plaintext|
--/ INTRODUCTION --
Advisory : rcon_plaintext
Release Date : 18.September 2003
Application : HLSW / rcon-console
Impact : rcon passwords can be sniffed
Vendor Status : No reply yet.
Author : Alexander 'xaitax' Hagenah [firstname.lastname@example.org]
Adrian 'p0beL' Waloschyk [email@example.com]
powered by http://xaitax.de
--/ SUMMARY --
There are many possibilites to administrate your Half-Life/Counter-
The common is using 'rcon'. rcon can be controlled either in a
console or by using a tool called HLSW. To authentificate on the
server you send your password. The vulnerability is that rcon
isn't crypting the password, when it has been send. So it is sended
in plaintext and the server receives it in plaintext, too.
So there is no problem to sniff the password. A sniffer with some
simple filter rules can find out rcon passwords fast and easily.
--/ REPRODUCE --
Setting up a filter rule with some easy things like
Destination Port: 27015 (for example)
Strings: 'rcon' AND 'echo'
will show you the interesting frame fast and easily.
A successfull sniff will give you an output in the data field like
....rcon 2228360 FF FF FF FF 72 63 6F 6E 20 32 32 32 38 33 36 30
724 "lena" echo 37 32 34 20 22 6C 65 6E 61 22 20 65 63 68 6F 20
HLSW: Test 48 4C 53 57 3A 20 54 65 73 74
-- PATCH /--
There are no possibilities actually as far as we know.
- ( x a i t a x - s e c u r i t y ) -