Possible bug allowing attacker to execute rcon commands

Hi Teelevision,

we're sry for that, it was just a test, but it worked -.-

it's not a bug and it will be fixed in 0.7.

Newer skype versions forbid direct connection by default you can enable them in settings.

But back to topic:
Our test was based on IP-Spoofing and we needed to check some stuff.

So, we got either your IP or of the other admin, we don't know exactly, and sent an rcon-cmd packet under the IP.
(wikipedia->IP-Spoofing)

So the server received the rcon cmd packet and as the packet had your ip and you were logged in as admin it executed the command.

Further we've chosen your server due to the (admin online) in server name, so it was neither revenge nor sth else.

i'm again sorry for that.

ps. don't worry we haven't touched the passwords, not took a look on them, nor were we looged in at any time into the rcon console

Greetings Pikotee

HI deen,

yes i saw that fix on your page.

but don't worry we'll find a way to circumvent your fix, so your life won't get boring

greetings Piko

HMAC comes to mind.

[CLIENT] --> CMD 'KICK 1' --> [SERVER] --> LAST_CMD 1234 --> [CLIENT] --> LAST_CMD 1234 'KICK 1' --> [SERVER] if (1234-client == 1234-server && CMD-client == CMD-server) { KICK 1 }

:\

perhaps best use long time or something like that... for not predictable token... if not the attaker can spam the LAST_CMD with the predictable token and validate the command.

For very lagged connection and run scripts can made a poll of tokens->cmd or someting like that :\

You're so evil.

But we can't use it since we would lose compatibility to other clients.

It would have been a good idea to tell me on the server, wouldn't it?

Because this does not look like someone who is just testing:

[53ee4656][server]: ClientID=0 rcon='broadcast Hacked by iX::Pikotee & solala.''

[53ee4731][server]: ClientID=2 rcon='broadcast Hi Teelevision'
[53ee4731][server]: ClientID=0 rcon='broadcast Hi Teelevision'

[53ee475b][server]: ClientID=2 rcon='say Le me mag Tomaten..'
[53ee475b][chat]: *** Le me mag Tomaten..
[53ee475b][server]: ClientID=0 rcon='say Le me mag Tomaten..'
[53ee475b][chat]: *** Le me mag Tomaten..

[53ee4816][server]: ClientID=2 rcon='broadcast Server got hacked, yaaay'
[53ee4816][server]: ClientID=0 rcon='broadcast Server got hacked, yaaay'

[53ee486d][server]: ClientID=2 rcon='kick 2'
[53ee486d][server]: you can't kick yourself
[53ee486d][server]: ClientID=0 rcon='kick 2'
[53ee486d][server]: client dropped. cid=2 addr=#removed# reason='Kicked by console'

So, I made a workaround for my servers. This workaround makes administration a bit more annoying, but it's an easy solution for a serious problem: https://github.com/Teelevision/zcatch/c … a94dc359b3
It just requires to enter the rcon at the beginning of each line. You can still send manipulated packages, the server still accepts them, but without rcon you can't execute anything. It would also be possible to write a client mod accordingly.
This seems to be the only solution that is compatible to all clients, does not require extern software and is not some security by obscurity rubbish.

Yes, quite interesting to watch your players all get kicked because Pikotee gave the exploit to others who happen to dislike some servers.

Praise God Pikotee

Telling you how this works makes your life more boring, so:

"New security feature in DDNet Client 4.7.4 opens a new network connection" (taken from ddnet.tw)

or SendServerInfo(...)

or think of what the Masterserver sends on request

All clients request server info from all the servers in the master server's list. Randomizing the port when connecting should mitigate the attack a little (not completely though).