Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Sign in to follow this  
aurikan

DoomServ security hole

Recommended Posts

** IMPORTANT **

Attention: Doomworld, TGO, DoomServ users everywhere

DOOMSERV SECURITY FLAW

This flaw depends on Doomserv having the ability to run programs as root
and a poor implementation of a protocol and server of Doomserv.

The technique:

Open a telnet and connect to the doomserv ip port 1010.

Open a text editor and type your desired nickname followed by `
EG: insecure`
Copy this, switch to telnet, and select Edit->Paste.
The server should send you the MOTD and roomlist/userlist,
signifying that you are successfully logged in.

Type this command in notepad and copy/paste it into telnet.

/RSKIN1$nick,| $command`/LAUNCH $nick`

Where $nick is the target nickname, and $command is the command
to execute in their dos shell.

An example, to target someone by the name of TGO to get the
shell to do a directory listing, this is the command:

/RSKIN1TGO,| dir c:\`/LAUNCH TGO`

Use your imagination to consider what kind of damage could be caused
by someone not content with just a directory listing.

In fact, more damage can be done by using <cr> to create a series of
commands to execute on the target's computer. This technique can also
be used to clear and close the box that the commands are executed in.

For example:

/RSKIN1TGO,| dir > dirlist
cls
exit`/LAUNCH TGO`

Now the file 'dirlist' in their DoomServ directory contains a listing
of their DoomServ directory, plus the evidence is cleared and possibly
the box is closed, leaving only a minor quirk as a trace of the attack.


How it works:

When the server is delivered the /RSKIN1$nick,| $command` string, it
changes it into /RSKIN1 | $command` and sends it to the target. The
target's doomserv client then records the | $command as the 'skin' that
the attacker is using. Since this command is unsolicited, the target's
doomserv silently ignores it otherwise, not notifying the user of the
receipt. Then the server is sent /LAUNCH $nick`, which transmits
/LAUNCH $ip`, where $ip is the ip of the attacker. This makes the
target's DoomServ to execute zdoom -net 1 $ip ... -file | $command.

This takes advantage of the | in dos which pipes the output of
zdoom -net 1 $ip ... -file to $command. Most commands, like dir or
echo ignores this output, and executes. With <cr>s on the line,
multiple commands can be executed in sequence, like a batch file.

Therefore I suggest that users not run DoomServ until this flaw is fixed.

Andy Kempling aka aurikan
aurikan@hotmail.com

Share this post


Link to post

Hahahaha.

Wheeeeeeee.

Dude, that's so fucked up. Hahahaha.

Poor DoomServ.

Share this post


Link to post
Guest TGO

I want to thank you for bringing this to my attention. I think that it was wrong for you to post it in here before I was made aware of it.. But hey thats your business.

Due to certain people wanting to ruin the fun for others the main server for DoomServ has been taken offline perminatly..

But dont go hootin and hollaring what a joyous day just yet..
The code has been totally re-written and is in beta for 4.0.

Share this post


Link to post

This is a lot like most security holes with CGI, actually. It's one of the first things that people writing servers that utilise a shell should check for.

Share this post


Link to post

You can be sure I wont be using such a horrendous program anymore. Thank you you little pink fish man for this. =]

Share this post


Link to post
TGO said:

I want to thank you for bringing this to my attention. I think that it was wrong for you to post it in here before I was made aware of it.. But hey thats your business.

Due to certain people wanting to ruin the fun for others the main server for DoomServ has been taken offline perminatly..

But dont go hootin and hollaring what a joyous day just yet..
The code has been totally re-written and is in beta for 4.0.

TGO,

I tried to send it to you and a number of people simultaneously before i posted it. Hoever, the email address i gleaned from the doomserv2000 page must be out of date (thegr81@adweb.com?)

aur

Share this post


Link to post

Thanks alot man! You spent alot of time writing that post and ruining our fun by telling a bunch of stupid little kids how to mess with people that just want to play doom. You are the worse than fiffy you little bastard.

By the way anyone who is mad at aurikan for this just look at his pic on the doomworld pics page and laugh at him all day. Man if i looked like that i would never put my picture up. I garantee that guy is still a virgin.

hahahahahhahahahahah

From now on your aurikan the weener guy

Share this post


Link to post

You should be thankful I published this before someone else figured it out and took advantage of it.

Or perhaps you would rather have someone trigger a deltree c:\windows on your box.

Share this post


Link to post

I dont have to worry about that, and shouldnt you be in school?

Share this post


Link to post
aurikan said:

You should be thankful I published this before someone else figured it out and took advantage of it.

Or perhaps you would rather have someone trigger a deltree c:\windows on your box.

How long have you been working on that? It seems kinda weird that you figured all that out right after doomserv got hacked and and that hacker was useing the same stuff you are talking about you little pecker. Im not sure if hacking is the right word.

Share this post


Link to post
Toke said:

I dont have to worry about that, and shouldnt you be in school?

If you must know, that picture is well over 2 years old. I now am a university student and have a summer job working for a computer company that is concerned, among other things, with the security of programs running as root on remote computers.

About the 'hackers' who have been operating on DoomServ recently:
Yes, I have logged in with telnet but I was not the first, and considering that other people can figure it out as easily as I can, how long would it have been before someone without such good intentions decided to take advantage of the service?

Obviously, expressly forbidding something will not stop people from doing it. Since people are going to be doing it, the server operators have a responsibility to make sure people legitimately accessing the service will not be damaged by it. You should just count yourself lucky that nobody will be given a chance to maliciously use this technique.

Share this post


Link to post

If the little kid dont play doom what the hell was he doin goin into doomserv in the 1st place? To deliberately go to a place he has no intention of using, hack it, tell every other little shit in the universe how to do it is the height of irresponsibility and i suggest everyone finds where his prospective employers are and inform them what an irresponsible little shit he is.
i will make it my next 6 months project to see what damage i or anyone i can find to do to Aurikan purely for his own peace of mind and will post details here so people can try out any of the port holes i may find

Share this post


Link to post

Just because I've done something that ruins your fun - for the better, I believe - you're going to throw away the next 6 months tracking me down, smearing me? And what exactly are you trying to do damage to? As it says in my sig - i don't do doom. So go ahead and hack my old-ass nbot or chasecam or TASdoom - like it matters to me.

I take full responsibility, and stand behind my actions.

See, the point you are missing is that one cannot count a system as secure just because nobody knows how to hack it. A secure system - especially one that could have hard consequences on unsuspecting and innocent users - must not be hackable.

Publicizing the hack in this way ensures that not only the malicious hackers, which would have eventually found this information anyway, but also the unsuspecting users and the program creators are informed, and are given the necessary knowledge to fix, work around, or avoid this exploit.

Share this post


Link to post
Toke said:

Thanks alot man! You spent alot of time writing that post and ruining our fun by telling a bunch of stupid little kids how to mess with people that just want to play doom. You are the worse than fiffy you little bastard.

By the way anyone who is mad at aurikan for this just look at his pic on the doomworld pics page and laugh at him all day. Man if i looked like that i would never put my picture up. I garantee that guy is still a virgin.

hahahahahhahahahahah

From now on your aurikan the weener guy

HAHAHAHA, up yours you silly fool, Aurikan just saved your ass by letting you know of the flaw. And here you are badmouthing about him, damnit go play with your imps or something until it's fixed, he didn't make the flaw.

Share this post


Link to post

oh christ Aurikan, thanks for letting us know about that, I will never go near that piece of crap doomserv again.

Share this post


Link to post
aurikan said:

You should be thankful I published this before someone else figured it out and took advantage of it.

Or perhaps you would rather have someone trigger a deltree c:\windows on your box.

To inform people that there is a security hole is one thing and would have been a responsible thing to do
To tell every little hacker kid in the universe HOW to do it is spiteful petty and pretty damn ignorant

Share this post


Link to post
Toke said:

Thanks alot man! You spent alot of time writing that post and ruining our fun by telling a bunch of stupid little kids how to mess with people that just want to play doom. You are the worse than fiffy you little bastard.

By the way anyone who is mad at aurikan for this just look at his pic on the doomworld pics page and laugh at him all day. Man if i looked like that i would never put my picture up. I garantee that guy is still a virgin.

hahahahahhahahahahah

From now on your aurikan the weener guy

Ohh, what a comeback. Aurikan the weener guy! Man, you should be proud to have thought that one up. Wow, I'm still laughing.

That was sarcasm for you slow people.

And why exactly is auri the asshole here? Did he use this for bad things? He made you aware of it. What if he had kept it to himself and then someone else figured it out but decided to use it? Then what? I'll tell you what, you'd have a lot of people pissed off at you and your little program over there.

Share this post


Link to post
Toke said:

Thanks alot man! You spent alot of time writing that post and ruining our fun by telling a bunch of stupid little kids how to mess with people that just want to play doom. You are the worse than fiffy you little bastard.

By the way anyone who is mad at aurikan for this just look at his pic on the doomworld pics page and laugh at him all day. Man if i looked like that i would never put my picture up. I garantee that guy is still a virgin.

hahahahahhahahahahah

From now on your aurikan the weener guy

yeh u keep saying u dont do doom so why the hell go to doomserv just to close it down? I can't play so i am gonna make sure no one else can? sad little boy

Share this post


Link to post
fodders said:

If the little kid dont play ...

Little Kid? Do you not know who aurikan is? He's one of the most famous people in the doom community, so dont insult someone if you dont know who he is properly.

Share this post


Link to post
Cyb said:

Ohh, what a comeback. Aurikan the weener guy! Man, you should be proud to have thought that one up. Wow, I'm still laughing.

That was sarcasm for you slow people.

And why exactly is auri the asshole here? Did he use this for bad things? He made you aware of it. What if he had kept it to himself and then someone else figured it out but decided to use it? Then what? I'll tell you what, you'd have a lot of people pissed off at you and your little program over there.

yeh weener is the bad guy as i said it's ok to find a security risk and publish the warning - fair enuff- to set out exact details of how the snots could do it, and since the post doomserv was hacked by loads of aurikans little friends is childishly irresponsible and i can only assume he did it out of spite, malice and aforethought he knew he was killing doomserv when he posted his ill thought out message, a warning then informing TGO would have been the thing to do, if you see someone burgling a house you fone police or the home owner, what aurican't did was to hold the window open for the felons

Share this post


Link to post
Teppic said:

Little Kid? Do you not know who aurikan is? He's one of the most famous people in the doom community, so dont insult someone if you dont know who he is properly.

why? and who rattled your cage?

Share this post


Link to post
fodders said:

yeh u keep saying u dont do doom so why the hell go to doomserv just to close it down? I can't play so i am gonna make sure no one else can? sad little boy

He doesnt keepy saying he doesnt do doom- its his signature (DUH)

Share this post


Link to post
fodders said:

why? and who rattled your cage?

Do I care? I believe that what aurikan has posted is a crucial piece of information for TGO to fix- if he simply posted that 'doomserv is hackable do not use it' would people believe him? probably not. He has highlighted an error that would be out in the open in due course no doubt without his intervention. Besides I bet half of the wannabe hackers reading this forum dont even know what the pipe does.

Share this post


Link to post
Teppic said:

He doesnt keepy saying he doesnt do doom- its his signature (DUH)

"As it says in my sig - i don't do doom " doh

Share this post


Link to post
Toke said:

Thanks alot man! You spent alot of time writing that post and ruining our fun by telling a bunch of stupid little kids how to mess with people that just want to play doom. You are the worse than fiffy you little bastard.

By the way anyone who is mad at aurikan for this just look at his pic on the doomworld pics page and laugh at him all day. Man if i looked like that i would never put my picture up. I garantee that guy is still a virgin.

hahahahahhahahahahah

From now on your aurikan the weener guy

you know what? due to your incredible level of intelligence demonstrated in your reply here I have already filed your nickname in the slot in my head labelled 'ignore'

Share this post


Link to post
fodders said:

To deliberately go to a place he has no intention of using, hack it, tell every other little shit in the universe how to do it is the height of irresponsibility

He found the bug. He *tried* to contect TGO, but the email bounced. So he had a choice: leave lots of people using doomserv in danger, or post the bug to warn people from using it. In computer security circles, the latter is called "full disclosure" - it's a hard choice to make, but generally security professionals believe that full disclosure is the best policy. http://ntsecurity.nu/papers/disclosure /

You might not agree with his motives, but he might just have saved you from a real malicious user some day. You're flaming like it's clear cut, but it's not.

Share this post


Link to post
Teppic said:

you know what? due to your incredible level of intelligence demonstrated in your reply here I have already filed your nickname in the slot in my head labelled 'ignore'

along with most of what you was told in school i assume :)

Share this post


Link to post
cph said:

He found the bug. He *tried* to contect TGO, but the email bounced. So he had a choice: leave lots of people using doomserv in danger, or post the bug to warn people from using it. In computer security circles, the latter is called "full disclosure" - it's a hard choice to make, but generally security professionals believe that full disclosure is the best policy. http://ntsecurity.nu/papers/disclosure /

You might not agree with his motives, but he might just have saved you from a real malicious user some day. You're flaming like it's clear cut, but it's not.

he tried to contact TGO? he does say that doesnt he? TGO's email addr is on doomserv2000.com page, his icq# is well publicised and he had to do this so fast he just couldnt take a sec to try to get in touch? yeh sure, he was so full of his little discovery he had to let the world know , i dont decry that he had to let it be known, i just dont trust the motives of telling HOW to do it, sure some may know or discover it eventually but he told how to do it so even the thickest little snot around could just cut n past his method with no pre learned knowledge
as i say he just couldnt wait to kill the one place people were having good games of doom and a place to meet and discuss wad ideas

Share this post


Link to post
Guest
This topic is now closed to further replies.
Sign in to follow this  
×