--/ INTRODUCTION -- Advisory : rcon_plaintext Release Date : 18.September 2003 Application : HLSW / rcon-console Impact : rcon passwords can be sniffed Vendor Status : No reply yet. Author : Alexander 'xaitax' Hagenah [ah@primepage.de] Adrian 'p0beL' Waloschyk [aw@primepage.de] --/ SUMMARY -- There are many possibilites to administrate your Half-Life/Counter- Strike Server. The common is using 'rcon'. rcon can be controlled either in a console or by using a tool called HLSW. To authentificate on the server you send your password. The vulnerability is that rcon isn't crypting the password, when it has been send. So it is sended in plaintext and the server receives it in plaintext, too. So there is no problem to sniff the password. A sniffer with some simple filter rules can find out rcon passwords fast and easily. --/ REPRODUCE -- Setting up a filter rule with some easy things like Protocol: UDP Destination Port: 27015 (for example) Strings: 'rcon' AND 'echo' will show you the interesting frame fast and easily. A successfull sniff will give you an output in the data field like this example: <.> ....rcon 2228360 FF FF FF FF 72 63 6F 6E 20 32 32 32 38 33 36 30 724 "lena" echo 37 32 34 20 22 6C 65 6E 61 22 20 65 63 68 6F 20 HLSW: Test 48 4C 53 57 3A 20 54 65 73 74 <.> -- PATCH /-- There are no possibilities actually as far as we know. - ( x a i t a x - s e c u r i t y ) - http://xaitax.de