2.60 server file disclosure exploit is being actively abused

SCDS_reyalP · 2006-08-02 01:34:49 UTC

A note for server admins, copy/paste from my post on the etpro forums:
We have had several reports that people are actively exploiting the download vulnerability that exists in et prior to 2.60b and ETTV prior to beta-10. This exploit allows anyone who can connect to your server to download your server.cfg files (and thus obtain your passwords) and depending on your server configuration, may allow them to download other sensitive files outside of the et directory.

Anyone running a server with downloads enabled should update to 2.60b or the latest ettv.

you DO NOT have to update to the new etpro, or require the clients to update. Just update the server.

The bug: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2082
ET 2.60b binaries (all platforms): ftp://ftp.idsoftware.com/idstuff/et/ET-2.60b.zip

edit:
BTW, this isn’t anything new, just a heads up that the bad guys are using it.

corvey · 2006-08-02 05:06:33 UTC

lovely, now all noobs know about it too… Better take his advice server admins, the invasion of the baddies are coming

mortis · 2006-08-02 17:42:03 UTC

It’s already happening. Unpatched servers can have their rcon passwords compromised, among other things.

ouroboro · 2006-08-03 17:33:54 UTC

I never understood why people would stay unpatched unless they want to keep exploiting the old bugs or just want the easy prey of freshly installed newbies. Either way, this might be a blessing in disguise if it forces all those 2.55 idiots to upgrade so there’s no more “drone servers” in my browser. In fact, someone who knows how to do this exploit should go on an “upgrade or die” campaign, IMO.

Nerbil · 2006-08-03 23:31:11 UTC

Or just modify your server, so that no .pk3 files are downloadable from it. Host your .pk3 files on a secondary server with no ET on it.

SCDS_reyalP · 2006-08-03 23:39:46 UTC

I’m not sure I follow the “modify your server” part ? Unless you are planning to hex etded, or disable downloads completely, you can’t stop people from using this exploit |+ UDP downloads to get your .cfg files.

Dispite what the id announcement said, you cannot disable UDP downloads and leave www redirects on (although you might be able to fix that with a little hexing).

Ragnar_40k · 2006-08-11 11:30:36 UTC

I want to remind all server admins to follow reyalPs advice and to update the servers.

We had another report that a well known cheater clan is using this exploit to take over servers:
http://forum.splatterladder.com/index.php?showtopic=3480