Re: [VSA0304] Half-Life Client remote hole via Adminmod plugin

Dear VOID.AT Security,

This bug is not related to adminmod, but is rather the bug in Half Life
itself. At least absolutely same problem is in amx plugin. amx_psay
%s%s%s%s causes same trouble.

So this is a bug in HalfLife client and may be exploited by malicious
server operator (including remote one with permissions to execute any
csay/psay command, rcon access is not actually required, it's possible
to bind malicious amx_psay command to some key). Since Half Life
protocol is not secure it's very likely this bug potentially may be
exploited by any remote attacker while client is playing.

–Friday, January 10, 2003, 8:49:35 PM, you wrote to [email protected]:

VAS> Note, the attacker needs to know the rcon-password.
VAS> However, it is easy to sniff since it is being transmitted
VAS> in plaintext.

<skipped>

VAS> blackboxed the admin_ssay and admin_psay commands.

–
~/ZARAZA
Если даже вы получите какое-нибудь письмо, вы все равно не сумеете его прочитать. (Твен)