Create an account


Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Security issues in rcon protocol

#1
Brick 
In game rcon protocol suffer from many issues. First hmac-md4 is not secure algorithm to signing rcon commands. In case someone intercepts message with hmac-md4, either rcon command with time or challenge, he (or she) can make fast offline brute force on MAC. Even if make brute force on CPU on not very strong machine it possible to check 5-6 million of hmac-md4 hashes, on GPU this numbers will be at least 10 time bigger. But this post not about that.

While rcon provides basic authentication for commands being sent to server it is not providing any authentication methods for message that passes from server. When attacker can guess unique connection 4-tuple, he can spoof server messages. This attack involves ability of spoofing source ip, which is not rare in Internet and local networks.
He can just send message where source ip and port are same as game server ip and port to rcon client, in that case client will think that this message is passed from server.

To demonstrate that this is not empty chatter, I'm gonna demonstrate it on irc bot. Maybe many of you know #theregulars channel on quakenet and '"I-" bot there. During demo I force bot to send couple messages to chat without connecting to game server. I believe there are nothing evil in that couple messages printed to irc chat. At least I could send them by connecting to game sever

First to make this attack I should guess connection params — source ip, source port, destination ip and port. Source ip and port we already know since it is ip and port of game server. To guess remote ip we can just do irc whois query of bot in case ip is not masked. There are other techniques but I not show they here since this is just "demo". So we should really guess only destination port. There are 65535 ports and it is possible to check them all with very slow internet in an hour or two. With faster and more reliable connection — 11-12 minutes. Moreover, there are no need to check them all since client opens port in ephemeral port range. On linux ("I-" bot works on linux), ephemeral port range defined by "net.ipv4.ip_local_port_range" sysctl param and by default is from 32768 to 61000. This is only 28233 ports (61000 - 32768 + 1), and it possible to do much quicker.

So, how do we check port and how do we know that we guessed it. We can send message with some port representation in body, in that case we will see port in chat. When we guess port, we can easily send messages to irc bot and bot will interpret them as messages sent by server.

So as you see using rcon over network isn't secure. In case you are running irc bot on same host with game, your are safe. But, if you are making rcon commands over network, you better use vpn or IPsec to prevent this attack.
It also possible to increase ephemeral port range, but this will only little bit increase time required to guess port.


Attached Files
.png   attack.png (Size: 27.33 KB / Downloads: 108)
Reply

#2
Sad 
(03-09-2019, 05:22 PM)69Wow Wrote: Security issues nowadays are important. It's pretty hard to provide your device with high quality cyber protection. One of the better ways is installing VPN. I use vpn for mac and I experience almost no problems with surfing the web.

I use Opera and its build in VPN. It's completely free and safe. As Opera's source is closed and propriety I know it can't be hacked by GPL hackers. Also Opera is owned by a Chinese company which means all our surfing goes through their firewall.

Long live Opera and our new Chinese overlords.
Reply

#3
(03-10-2019, 05:30 AM)Spaceman Wrote: I use Opera and its build in VPN. It's completely free and safe. As Opera's source is closed and propriety I know it can't be hacked by GPL hackers. Also Opera is owned by a Chinese company which means all our surfing goes through their firewall.

Long live Opera and our new Chinese overlords.

Why didn't you just press the report button? Well, at least now I did.
?️‍? <- that should be a rainbow flag emoji.
Reply



Possibly Related Threads...
Thread Author Replies Views Last Post
  Rcon client Sl@va 1 1,694 05-26-2015, 04:25 PM
Last Post: -z-
  NetRadiant issues Garux 7 5,232 02-18-2015, 04:48 AM
Last Post: Garux
  q3map2 issues/development vulture 18 17,397 03-04-2014, 11:31 AM
Last Post: Garux
  Linux performance issues in Xonotic 0.6? Sarge999 3 3,733 04-04-2012, 09:43 PM
Last Post: edh
  Hello and OSX build issues... lectroidmarc 6 5,672 04-12-2010, 09:35 AM
Last Post: DiaboliK

Forum Jump:


Users browsing this thread:
1 Guest(s)

Forum software by © MyBB original theme © iAndrew 2016, remixed by -z-