Re: CounterStrike (HalfLife?) Server possible DoS attack.

["Stanley G. Bubrouski" <stan () ccs neu edu>]

The 'nextmap' chat command is an Admin-Mod command
and not a built-in Counter-Strike or Half-life command.
Furthermore, if an anti-flood plugin is installed, such
as the one that comes with Admin-Mod it must be the
first plugin listed in Admin-Mod's plugins.ini or else
the other plugins will interpret what is sent first
rendering the anti-flood plugin useless.

There was a bug in Half-Life Dedicated Server (HLDS)
which would cause the service to crash if certain
commands were flooded to the server.  This bug was
fixed in HLDS 3.1.1.0b and 4.1.1.0b beta builds of
HLDS available at files.valve-erc.com (password
required, you can find it in hlds hlds_linux
mailling list archives.)  This beta update came out
May 11, 2002 so its been out there a long time and
most servers are using it.

So for clarification:
1) This issue is not new, it has been discussed on
the HLDS and HLDS_LINUX ML.
2) A patch has been available since early May.
3) Even without the patch, if a proper anti-flood
plugin is installed correctly its not an issue.
4) There have been exploit scripts available for
these bugs (including this one) for over a year.
5) The reporter of this bug ought to be banned
from HL for using scripts for the purpose of
causing denial-of-service attacks (he most likely
learned of the attack from the many websites that
describe or from cheat software that have such
exploits built-in.


-Stan Bubrouski


On Thu, 28 Nov 2002, hellNbak wrote:

> Dude don't mess with my fraggin counterstrike.  :-)
>
> Tested on latest version with all patches and it doesn't work.  But if I
> remember correctly the patch was on the server side so mileage may vary.
>
> On Thu, 28 Nov 2002, Patrick Webster wrote:
>
> > Date: Thu, 28 Nov 2002 11:12:24 +1100
> > From: Patrick Webster <webster_p () DeMorgan com au>
> > To: "SF-Vuln-Dev (E-mail)" <vuln-dev () securityfocus com>
> > Subject: CounterStrike (HalfLife?) Server possible DoS attack.
> >
> > Hi Guys,
> >
> > Could someone who actually has CounterStrike on their PC look into this for
> > me and see if it still exists?
> > Last I remember, it was possible to crash a CS server and thus disconnect
> > all users by requesting "say nextmap" multiple times.
> > To reproduce this attack, you simply bind any key to ask the server to
> > display the next map - I recall it as 'say nextmap'.
> > So, for example;
> >
> > F6 = 'say nextmap; say nextmap; say nextmap; say nextmap; say nextmap; say
> > nextmap; say nextmap; say nextmap; say nextmap; say nextmap; say nextmap'
> >
> > Connect to a server, and rapidly press F6 until you are disconnected. Try
> > and reconnect - the service should have crashed.
> >
> > Thanks,
> >
> > Patrick Webster,
> > Systems Administrator
> >
> > DeMorgan Information Security Services
> >
> > Freecall: 1800 DE MO RG (33 66 74)
> > Tel: +61299290377
> > Fax: +61299290917
> > Mob: +61403421390
> >
> > Address: Level 2, 41 McLaren St
> > North Sydney, NSW, 2060, Australia
> >
> > Visit us at: www.demorgan.com.au
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
> "I don't intend to offend, I offend with my intent"
>
> hellNbak () nmrc org
> http://www.nmrc.org/~hellnbak
>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-