Tuesday, October 17, 2000
Linux Half-Life Server Vulnerability -- 11:12 pm CST, Update by A.T. Hun
Security Focus is reporting that there is a rather serious buffer overflow bug that IS being exploited in the Linux Half-Life dedicated server 3.1.0.3 and earlier. Here's the scoop:A buffer overflow vulnerability was discovered in a Half-Life dedicated server during a routine security audit. A user shell was found running on the ingreslock port of the server which lead to an investigation into how this had been achieved. - From the logs left on the server, it was ascertained that a predefined exploit script was used and that the perpetrator failed to further compromise the server due to the Half-Life software running as a non-priveledged user.Linux H-L server admins would probably be best served to bring down their servers until a patch is released . . . and check your logs. Thanks Linux Games.
The vulnerability appears to exist in the changelevel rcon command and does not require a valid rcon password.
. . .
Valve Software promised a patch which has yet to appear. Interim measures would include:-
A) Consider not running the HalfLife software at all!
B) Remove the world execute bit from inetd to 'break' the exploit code - this would only stop the script kiddies
C) Ensure sane ipfwadm/ipchains filters are inplace
Speaking of Linux security, I spent the better part of this evening applying bug fixes and security fixes to my Red Hat 6.2 install so I can be relatively secure online. Now I need to figure out IPCHAINS. Not looking forward to that one.
Recent Headlines
January 5, 2015: It Returns!
August 10, 2007: SCO SUCKS IT DOWN!
July 5, 2007: Slackware 12.0 Released
May 20, 2007: PhpBB 3.0 RC 1 Released
February 2, 2007: DOOM3 1.31 Patch
January 27, 2007: Join the World Community Grid
January 17, 2007: Flash Player 9 for Linux
December 30, 2006: Darkness over Daggerford 1.2
December 19, 2006: Pocket Tunes 4.0 Released
December 9, 2006: WRT54G 1.01.1 Firmware OK with Linux/Mac
The Haus is powered by:
All original information on this website is copyright © TheHaus.Net, 1999-2005. The use of original images, text, and/or code from this website without expressed written consent is prohibited. The authors of this site cannot be held responsible for any damage, real or imagined, which comes from the use of information presented on this site. All trademarks used are the properties of their respective owners. This site is not to be used as a floatation device (but if you try, I want a video tape of it).