Server exploit

written by Isias | 488 Views | 0 Replies
Mani admin forums

Based on a more and more widely spread, not yet fully fixed SRCDS exploit, it is possible to upload files to game servers, allowing a person to change the rcon password (via uploading a new server.cfg) or adding themselves in all plug-ins using a .txt / .cfg file for admin authentication (for example uploading a new adminlist.txt / clients.txt for Mani Admin Plug-in, a new admins_simple.ini / admins.cfg for SourceMod or a new autoexec.cfg for Eventscripts eXtensible Admin etc.). This exploit is not based on any plug-in installed on your gameserver. This exploit is based on the SRCDS itself.

Valve is aware that there is a file upload exploit and already fixed it partly for TF2 and has already fixed another even older upload exploit. But until yet, this exploit still is possible.

To prevent this, it is advised to set sv_allowupload 0 in your server.cfg, disallowing uploads completely.

This will break some in game spray functionality, since spray's can't get uploaded to the server anymore. Still, it is highly advised to set this CVar to 0 to prevent your server from being exploited by file uploads. Also, set your server to sv_cheats 0 to prevent a very common exploit allowing a person to gain rcon access. It is also advised to set sv_allow_wait_command 0 to prevent a script causing lags by making extensive use of the built in "wait" command to lag the server.

Also, make sure you update all your plugins you're using on the server to the latest build. If you want some extra protection it is advised to set the rcon password in the start up command line instead of specifying it in the server.cfg, That way it can't be changed. If you're runnig a root server, it is highly advised to restrict the user running SRCDS to only being able to write in his home directory.