Rcon Vulnerbility - Plaintext

[Alexander Hagenah <bugtraq@xxxxxxxxxxxx>]

--/ INTRODUCTION  --


Advisory           : rcon_plaintext
Release Date       : 18.September 2003
Application        : HLSW / rcon-console
Impact             : rcon passwords can be sniffed
Vendor Status      : No reply yet.
Author             : Alexander 'xaitax' Hagenah [ah@xxxxxxxxxxxx]
                     Adrian 'p0beL' Waloschyk [aw@xxxxxxxxxxxx]
                     powered by http://xaitax.de


--/    SUMMARY    --


There are many possibilites to administrate your Half-Life/Counter-
Strike Server.
The common is using 'rcon'. rcon can be controlled either in a 
console or by using a tool called HLSW. To authentificate on the 
server you send your password. The vulnerability is that rcon
isn't crypting the password, when it has been send. So it is sended
in plaintext and the server receives it in plaintext, too.
So there is no problem to sniff the password. A sniffer with some 
simple filter rules can find out rcon passwords fast and easily. 


--/   REPRODUCE   --

Setting up a filter rule with some easy things like
Protocol: UDP
Destination Port: 27015 (for example)
Strings: 'rcon' AND 'echo'

will show you the interesting frame fast and easily.
A successfull sniff will give you an output in the data field like 
this example:

<.>
  ....rcon 2228360  FF FF FF FF 72 63 6F 6E 20 32 32 32 38 33 36 30
  724 "lena" echo   37 32 34 20 22 6C 65 6E 61 22 20 65 63 68 6F 20
  HLSW: Test        48 4C 53 57 3A 20 54 65 73 74
<.>

--     PATCH     /--

There are no possibilities actually as far as we know.


- ( x a i t a x - s e c u r i t y ) -
http://xaitax.de