Game Servers Information Leakage - Vulnerable Server Files.
AKS aka 0kn0ck , CERA
View:
Note: For Education Purposes Only.
The game environment is on of the pre-dominant working stature of various games running on webservers. The configuration
plays a crucial role in management of these game files on the server. After pen testing and auditing number of web servers
serving online games,it has been found that number of game servers are prone to information leakage through configuration files. The basic
point is that all information is present in clear text and in raw format. If a file is exposed to external entity the
overall information of game server can be exploited. The another critical layout is the presence of clear text password for
or admin and game users required to administrate the server. This is the biggest problem in handling server configuration
files for various game servers.
The type of information extracted is:
1. Game Server Configuration.
2. Logging files related to serving game on web servers.
3. Clear Text Passwords.
The general information is structured as:
Parameter Description
passwordAdmin = "fksdlsdg";
Password to protect admin access
password = "dgsgag";
Password required to connect to server
hostname="Game Server Kn0ck";
Server Hostname, the one visible in the game browser
maxPlayers = 20;
The maximum number of players that can connect to server ( seems to be out by 1 in the demo at least )
motd[]=
{"Welcome to the kn0ck","Hosted by Flashpoint Webworlds.",}; Welcome message, two lines "," means 'new line'
This is the prime information which is made public by the vulnerable server configuration files. We will see the
information extracted from Live Targets to prove the required concept.
Error Check 1 : Server Information.
install
text
nfs --server 192.0.2.1 --dir /install/fedora/2/i386/os
# RedHat likes to set UTF8, which under RH 9 causes various problems...
lang en_US
langsupport --default en_US en_US
# run system-config-* if needed once in production
keyboard us
mouse none
skipx
# TODO pre script for eth1 and other complications?
network --device eth0 --bootproto dhcp
#rootpw --iscrypted $1$mumble
authconfig --enableshadow --enablemd5
firewall --enabled --ssh
timezone --utc US/Pacific
# partition done via script, below
%include /tmp/partition-layout
# packages done via script, below
%include /tmp/base-packages
%pre
# load specific boot args into variables
< /proc/cmdline sed 's/ /\n/g' | grep ^cf_ | grep = > /tmp/cf-args
. /tmp/cf-args
export RH_MOUNT=/tmp-build
mkdir -p $RH_MOUNT
mount -t nfs 192.0.2.1:/install $RH_MOUNT
# custom package list by name, otherwise interactive
touch /tmp/base-packages
if [ -f "$RH_MOUNT/kickstart/fedora/packages/$cf_pkg" ]; then
cp "$RH_MOUNT/kickstart/fedora/packages/$cf_pkg" /tmp/base-packages
else
cp "$RH_MOUNT/kickstart/fedora/packages/server" /tmp/base-packages
fi
# custom partition layout by eth0 MAC. Favor reading from static file
# over custom script over "reasonable" defaults done below.
MAC_ADDR=`ifconfig eth0 | \
grep HWaddr | sed -e 's/^.*HWaddr \([A-Fa-f0-9:]*\).*$/\1/; s/:/-/g'`;
# include fails without file; empty file will bring up partition utility
# during installation for custom layout
touch /tmp/partition-layout
PART_SRC=$RH_MOUNT/kickstart/partition
# by boot argument before MAC
if [ -f "$PART_SRC/$cf_part_file" ]; then
echo "partition data: file=$cf_part_file"
cp "$PART_SRC/$cf_part_file" /tmp/partition-layout
elif [ -f "$PART_SRC/$cf_part_script" ]; then
echo "partition script: file=$cf_part_script"
cp "$PART_SRC/$cf_part_script" /tmp/partition-layout.sh
elif [ -f "$PART_SRC/$MAC_ADDR" ]; then
echo "partition data: file=$MAC_ADDR"
cp "$PART_SRC/$MAC_ADDR" /tmp/partition-layout
elif [ -f "$PART_SRC/$MAC_ADDR.sh" ]; then
echo "partition script: file=$MAC_ADDR.sh"
cp "$PART_SRC/$MAC_ADDR.sh" /tmp/partition-layout.sh
fi
if [ -f /tmp/partition-layout.sh ]; then
. /tmp/partition-layout.sh
fi
%post
# load specific boot args into variables
< /proc/cmdline sed 's/ /\n/g' | grep ^cf_ | grep = > /tmp/cf-args
. /tmp/cf-args
echo -e \\a
chvt 3
(
export RH_MOUNT=/tmp-build
mkdir -p $RH_MOUNT
/etc/init.d/portmap start
mount -t nfs 192.0.2.1:/install $RH_MOUNT
/usr/sbin/ntpdate -su north-america.pool.ntp.org
if [ -f /etc/fedora-release ]; then
RH_RELEASE=fedora
RH_VERSION=`rpm -q --queryformat '%{VERSION}' fedora-release`
else
RH_RELEASE=rhel
RH_VERSION=`rpm -q --queryformat '%{VERSION}' redhat-release`
fi
export RH_RELEASE RH_VERSION
# bootstrap PGP keys for software install
for keyfile in $RH_MOUNT/rpm-pgp-keys/*; do
[ ! -f "$keyfile" ] && continue
rpm --import "$keyfile"
done
# bootstrap yum
rpm -i $RH_MOUNT/yum/rpm/$RH_RELEASE.rpm
cp $RH_MOUNT/yum/conf/yum.conf.$RH_RELEASE /etc/yum.conf
chmod +r /etc/yum.conf
# initial update run
yum -t -y update
yum -C -t -y install cfengine
# for use by cfengine
mkdir -p /var/cfengine/etc/classes
# so can boot with cf_group=desktop,group_nickerson, instead of
# relying on static hostname that is not present on build network
if [ ! -z "$cf_group" ]; then
if echo $cf_group | egrep '^[A-Za-z0-9_,-]*$' >/dev/null; then
(
IFS=","
for group in $cf_group; do
touch "/var/cfengine/etc/classes/$group"
done
)
fi
fi
touch /var/cfengine/etc/classes/server
mkdir -p /etc/system-info
date --iso-8601=minutes > /etc/system-info/install-date
(
# first line unique ID, ID specific info on subsequent lines
echo kickstart
echo '$Id: server.cfg,v 1.4 2005/11/06 06:38:05 jmates Exp $'
) > /etc/system-info/install-method
cat <<'EOF' > /etc/rc.d/rc.local
#!/bin/sh
/usr/sbin/cfagent --no-splay --define sys_startup &
touch /var/lock/subsys/local
EOF
chmod 755 /etc/rc.d/rc.local
umount $RH_MOUNT
rmdir $RH_MOUNT
/etc/init.d/portmap stop
) 2>&1 | tee /root/ks-postinstall.log
echo -e \\a
Error Check 2: Clear Text Passwords.
//----------// Grundeinstellungen //----------//
hostname "servername | config powered by TEAM-FLASH.eu"
rcon_password "rconpw"
sv_password "esl"
//----------// Game Einstellungen: //----------//
mp_autokick "0"
mp_autoteambalance "0"
mp_buytime "0.25"
mp_c4timer "35"
mp_chattime "5"
mp_consistency "1"
mp_decals "900"
mp_fadetoblack "0"
mp_flashlight "1"
mp_footsteps "1"
mp_forcecamera "2"
mp_forcechasecam "2"
mp_freezetime "10"
mp_friendlyfire "1"
mp_kickpercent "1"
mp_limitteams "0"
mp_logdetail "3"
mp_logecho "0"
mp_logfile "1"
mp_logmessages "1"
mp_mapvoteratio "1"
mp_maxrounds "0"
mp_roundtime "2.5"
mp_startmoney "800"
mp_timelimit "0"
mp_tkpunish "0"
mp_winlimit "0"
-------------------------------------------------------------
hostname "servername | config by team-flash.eu"
rcon_password "euerrconpw"
sv_password "euerjoinpw"
//----------// Game Einstellungen: //----------//
//hier kommen die esl settings rein
//----------// Server Einstellungen: //----------//
sv_contact "www.team-flash.eu"
sv_allowdownload "1"
sv_allowupload "0"
sv_challentime "150"
sv_rcon_banpenalty "1"
sv_rcon_minifailures "5"
sv_rcon_minifailuretime "30"
sv_rcon_maxfailures 10
; legt steam-regions-filter fest: 0 = US-Ostküste - 1 = US-Webstküste - 2 = Südamerika - 3 =
Europa - 4 = Asien - 5 = Australien - 6 = mittlerer Osten - 7 = Afrika - 255 = weltweit
sv_region "3"
sv_send_logs "1"
sv_send_resources "1"
sv_lan "0"
sv_secure "1"
sv_downloadurl ""
writeid
writeip
//----------// EXEC //----------//
exec mani_server.cfg
exec bannid.cfg
exec smm_settings.cfg
exec banned_user.cfg
exec banned_ip.cfg
//----------// Server Netsettings //----------//
sv_maxrate "20000"
sv_minrate "2500"
sv_maxupdaterate "100"
sv_minupdaterate "30"
sv_unlag "1"
sv_maxunlag "1"
sv_unlag_debug "0"
sv_unlag_fixstuck "0"
host_framerate "0"
//----------// Source TV //----------//
; Source TV aktivieren 1 = ja 0 = nein
tv_enable 0
; Source TV Port
tv_port 27020
; Automatisches aufnehmen von Source TV Demos bei allen Spielen
tv_autorecord 0
; Source TV Debug Modus
tv_debug 0
; Verzögerung in Sekunden für den SourceTV Server
tv_delay 10
; Erlaubt es spielern Proxies weiter zu geben 0 = nein, 1 = fals nötig, 2 = immer
tv_dispatchmode 1
; Maximale Slotzahl an Zuschauern
tv_maxclients 128
; Maximale Bandbreite für den Source TV Server
tv_maxrate 3500
; Name des Source TV Servers
tv_name "Source TV"
; Überschreiben der SourceTV Master Root Adresse
tv_overrideroot 0
; Source TV Server Passwort
tv_password ""
; Source TV Relay Passwort
tv_relaypassword ""
; Schreibt alle "xx" Serverticks einen Schritt in die Demo. (Nur waehrend SrcTV Demoaufnahmen.)
tv_snapshotrate 20
// Rcon Befehle um einen Source TV Server zu steuern:
// tv_record "namederdemo" => nimmt eine SrcTV Demo auf. (Demos werden im Ordner "cstrike" deines Servers gespeichert)
// tv_stoprecord => Stoppt die aufnahme der SrcTV Demo. !! ACHTUNG !! Demos werden
automatisch bei einem Mapchange gestoppt dann ist dieser Befehl nicht mehr nötig.)
// tv_stop => Stopt SourceTV / "Kickt" den SourceTV Clienten vom Server
Error Check 3: Log Settings Information.
// Log Settings
set g_logsync "2" // 0=no log, 1=buffered, 2=continuous, 3=append
set logfile "1" // 0 = NO log, 1 = log file enabled
set g_log "games_mp.log" // Name of log file, default is games_mp.log
set sv_log_damage "1"
// Network options
set com_hunkMegs "512"
set net_noipx "1" // Allow ONLY tcp/ip protocol, player/server communications
// DAM COMPETITION MOD CVARS
dam_enable_readyup "1"
dam_enable_strattime "1"
dam_strattime "10"
dam_lefticons "2"
// Server Network Mode
set dedicated "2" // 0 = Listen, 1 = LAN, 2 = Internet
// Password Settings
set rcon_password "XXXX" // RCON must supply pw to use
set sv_privatePassword "" // Private slots, non-public slots
set g_password "XXXX" //Server password
// Player slots setup
set sv_maxclients "10" // MAX server player slots, this is TOTAL player slots
set sv_privateclients "" // Number of private player slots, maxclients - privateclients = public slots
// Ping
set sv_minPing "0" // MIN player ping on CONNECT, any lower and player isnt allowed to connect
set sv_maxping "150" // MAX player ping on CONNECT, any higher and player isnt allowed to connect
// Client Download Settings (0=off/1=on)
set sv_allowdownload "1"
seta sv_wwwDownload "0"
//seta sv_wwwBaseURL ""
seta sv_wwwDlDisconnected "1"
// Rate
set sv_maxRate "25000"
Error Check 4 : Network Configuration with Port Specification.
// SERVER NETWORK SETTINGS
set dedicated "2" // (1: dedicated server for lan 2: dedicated server for internet)
set net_ip "69.139.243.144" // (set to override the default IP ET uses)
set net_port "27960" // (set to override the default port ET uses)
// MASTER SERVERS TO REPORT TO
set sv_master1 "etmaster.idsoftware.com"
set sv_master2 "master.gamespy.com:27900"
set sv_master3 "master0.gamespy.com"
set sv_master4 "clanservers.net"
//set sv_master5 ""
Error Check 5 : Information of the Libraries
# Unix/BSD/Linux
#
# GTK1 backend:
# GTK_LIB_NAME = libgtk.so
# GDK_LIB_NAME = libgdk.so
# GLIB_LIB_NAME = libglib.so
# GLADE_LIB_NAME = libglade.so
#
# GTK2 backend:
GTK_LIB_NAME = libgtk-x11-2.0.so
GDK_LIB_NAME = libgdk-x11-2.0.so
GLIB_LIB_NAME = libglib-2.0.so
GOBJECT_LIB_NAME = libgobject-2.0.so
ATK_LIB_NAME = libatk-1.0.so
PANGO_LIB_NAME = libpango-1.0.so
PIXBUF_LIB_NAME = libgdk_pixbuf_xlib-2.0.so
GLADE_LIB_NAME = libglade-2.0.so
#
# XForms backend:
# FORMS_LIB_NAME = libforms.so
# FLIMAGE_LIB_NAME = libflimage.so
# FORMSGL_LIB_NAME = libformsGL.so
#
# Optionally, define a signalnumber to send to the client
# program when the GTK-server exits. See also 'man 7 signal'.
# Examples: SIGQUIT (3) SIGKILL (9) SIGUSR1 (10)
# SIGPIPE (13) SIGTERM (15)
#
# EXIT_SIGNAL = 10
#
# Directory where to put the logfile if logging is enabled.
LOG_FILE = /tmp
#
#---------------------------------------------------------------------------
#
# Windows
#
# GTK1 backend:
# GTK_LIB_NAME = libgtk-0.dll
# GDK_LIB_NAME = libgdk-0.dll
# GLIB_LIB_NAME = libglib-2.0-0.dll
# GLADE_LIB_NAME = libglade.dll
#
# GTK2 backend:
# GTK_LIB_NAME = libgtk-win32-2.0-0.dll
# GDK_LIB_NAME = libgdk-win32-2.0-0.dll
# GLIB_LIB_NAME = libglib-2.0-0.dll
# GOBJECT_LIB_NAME = libgobject-2.0-0.dll
# ATK_LIB_NAME = libatk-1.0-0.dll
# PANGO_LIB_NAME = libpango-1.0-0.dll
# PIXBUF_LIB_NAME = libgdk_pixbuf-2.0-0.dll
# GLADE_LIB_NAME = libglade-2.0-0.dll
Error Check 6 : Bots Information
bot_prefix [BOT]
bot_suffix "^7[^1Dave^7]"
fraglimit_override 30
g_antilag 1
g_fullbrightplayers 1 // 1 to make players fullbright
g_maplist_votable 8
g_maplist_votable_suggestions 2
g_maplist_votable_timeout 20
net_messagetimeout 30
skill 10
sv_adminnick "DCC's Delight"
sv_curl_defaulturl "http://delight.vapor.com/maps/"
sv_eventlog 1
sv_maxrate 20000
sv_motd "\nWelcome to DCC's Delight!\n\nIf you have questions about this server visit
http://delight.vapor.com or mail to .\nPlease note that this server
keeps extensive match stats for public viewing and that your chat and other events on this
server are piped to a public IRC channel.\n\nHappy fragging!"
sv_public 0
sv_vote_commands "chmap fraglimit g_grappling_hook g_powerup_strength restart g_grappling_hook
sv_defaultplayer_fbskin_green sv_defaultplayer_fbskin_red sv_defaultplayer_fbskin_orange sv_defaultplayer_fbskin_off kick timelimit"
sv_vote_master 1
sv_vote_simple_majority 1
sys_ticrate 0.03125
timelimit_maxovertime 0
timelimit_override 15
timestamps 1
sv_vote_change_gametype 1
g_maplist_votable_suggestions_change_gametype 1
Error Check 7 : Dedicated Server Checks
set r_smp 1
set dedicated "2" // dedicated server for internet
set sv_fps "20" // normal is 20; 30 seems to help animations bug
//2 = Single Map Objective
//3 = Stopwatch
//4 = Campaign (default)
//5 = Last Man Standing (one life to live)
set g_gametype "4"
//RAM Settings
set com_zoneMegs "64"
set com_soundmegs "32"
set com_hunkmegs "512" // Special thanks to DG
set server_autoconfig "0"
// PASSWORDS & CLIENTS
set sv_maxclients "36" // number of players including private slots
set sv_privateclients "10" // number of reserved slots
set password "" // pass required to connect if g_needpass is 1.
set g_needpass "0" // set to 1 to require password to join.
set sv_privatepassword "xxx" // crew severing machine gun is for severing your crew's heads
set rconpassword "xxx"
set refereePassword "xxx"
// MASTER SERVERS TO REPORT TO
set sv_master1 "etmaster.idsoftware.com"
//set sv_master2 "master.gamespy.com:27900"
//set sv_master3 "master0.gamespy.com"
//set sv_master4 "clanservers.net"
// SETS/PUBLIC INFO
sets g_needpass "0" // tell's ASE etc the server is passworded
sets sv_pure "1"
sets .IRC "" // your IRC channel + server here
sets .URL "" // your website here
sets .Host "" // host website here
sets "URL" "" // your website here
// DL, RATE
//set sv_maxRate "13000" // 10000 standard but poor for ET
set sv_maxRate "25000"
set sv_dl_maxRate "52000" // increase/decerease if you have plenty/little spare bandwidth
set sv_wwwDownload "1" // to 1 if you set the two below
set sv_wwwBaseURL "http://your.website.com" // GUESS: e.g. ftp://ftp.yoursite.com
set sv_wwwCheckPath "" // GUESS: e.g. downloads/et_test/files/
set sv_wwwDlDisconnected "1'
// MOTD ETC
set sv_hostname "your server name" // name of server here
set g_motd "your motd" // join message here
So based on this pattern of finding vulnerable back up files on web server the tester or an attacker leverage
bundle of iinformation.
A configuration File from Defcon-xs
// *NOTE* any line that starts with "//" is ignored by quake.
// changed:
// 10.03.02 by defcon-x/defcon-x@ns-co.net
// 11.03.02 by defcon-x/defcon-x@ns-co.net - setted sv_floodprotect 0 as default value.
// 08.05.02 by defcon-x/defcon-x@ns-co.net - added new beta 1.1 cvars
// 19.05.02 by defcon-x/defcon-x@ns-co.net - added new beta 1.1 cvars
// 29.06.02 by defcon-x/defcon-x@ns-co.net - added new beta 1.2 cvars
// removed cvar mapcycle
// added new ns-co master server
// 29.07.02 by defcon-x/defcon-x@ns-co.net - updated server.cfg for b1.3
// 29.08.02 by defcon-x/defcon-x@ns-co.net - updated server.cfg for b1.45
//
// please see the cvars.txt
//
//*** Administrator Info ***
sets Admin "Gentoo Admin"
sets Email "UnnamedAdmin@NoEmail"
//*** Server Name and Daily Message ***
set sv_hostname "Navy Seals : Covert Operations [BETA 1.45] powered by Gentoo Linux"
set g_motd "www.ns-co.net, www.gentoo.org"
//*** Game Settings ***
set sv_maxclients "18"
// set g_maxGameClients ""
set sv_privateClients "0"
set g_gametype "3"
set roundtime "4"
set teampointlimit "15"
// do not remove the following line, or set the cvar to 1
set sv_floodprotect "0" // this should be set to "0" by default.
// it's important for a proper XP usage
set g_noPrimary "0" // prevent the usage of primarys
set g_noSecondary "0" // * secondarys
set g_noGrenades "0" // and grenades
set g_allowMapVote "1" // allow the voting of maps
set g_allowKickVote "1" // allow the kick voting of players
// 1 enables friendly fire
set g_friendlyFire "1"
// memory management
// only use these settings if you want the best memory usage
// on dedicated servers.
seta com_soundMegs "0"
seta com_zoneMegs "8"
seta com_hunkMegs "38"
set g_basexp "15"
set g_inventoryupdatetime "5"
set g_maxteamkill "3" // 3 teamkills until a player gets kicked for TK
set g_TeamKillRemoveTime "300" // remove one teamkill after not killing for 5 minutes
set g_overridegoals "0"
//*** Less Packets ***
// set g_silentbullets "1" // bullets are not SENT to the clients
// set g_reallead "1" // real bullets instead of instat-hit ray-test weapons
set g_teamlockcamera "0" // lock chasecamera so players can only spectate their teammates - for clangames very useful
set g_minplayers "1" // starts the round as soon as X players are in each team - for clangames very useful
//*** Passwords ***
// set rconpassword "-----"
// set sv_privatePassword "-----"
// set g_password "-----"
//*** Bot Setup ***
set bot_enable "0"
set bot_minplayers "0"
set bot_maxplayers "0"
//*** Server Settings ***
set sv_pure "1"
set g_allowvote "1"
set sv_allowdownload "0"
set gamename "seals"
set sv_maxRate "15000"
set g_log "seals.log"
set g_inactivity "90" // kick after 90 seconds of inactivity on server
set g_firstcountdown "30" // the first round has a countdown of 30 seconds
//*** Master Servers ***
set sv_master1 "ns-co.org" // primary ns-co master
set sv_master2 "master1.idsoftware.com"
set sv_master3 "master2.idsoftware.com"
set sv_master4 "master3.idsoftware.com"
set sv_master5 "master4.idsoftware.com"
//*** Mapcycle ***
set g_mapcycle "configs/mapcycle.cfg" // leave this as default
//execute a map in the cycle
map ns_ghetto