Jump to content
Guest Nemessis

[RST] Counter-Strike Crosszone vulnerability

Recommended Posts

Guest Nemessis

Counter-Strike CrossZone + XSS in webmod + Cookie problem

Discovered by Nemessis - http://rstcenter.com

Public disclosure: - 15 October 2007

In this video tutorial you can see how an evil code in MOTD can run or read files located on your computer. This poc is far to be the best but is good to open your mind. The XSS and Rcon Password problems are very easy to understand and they are possible only if webmod is present on that server.

NOTE: To have results you must modify the SERVER MOTD file not the client MOTD.

Chapter 1

CrossZone using Counter Strike MOTD

Like most of you already knows, Counter Strike 1.6 MOTD can be a html page. You can see an iframe to a website, you can click on some links, you can see a image, all of this directly in your Counter-Strike client. But what is the real problem? The problems are:

- if you use an iframe to a local file you have the chance to execute the file

- if you use an iframe to a local text file you can read content of that file in the MOTD window

I tried to execute a shellcode but javascript is not allowed in this case and all the shellcodes I know are based on javascript. If anyone can make a better proof of concept I’ll be glad to see the results.

Unfortunately I didn’t succed to execute .exe files without user intervention.

Watch the video tutorial for a better understanding.

Chapter 2

XSS in webmod

Is strange that we can find this vulnerability in a game like Counter Strike web application. Where are located the XSS vulnerabilities?

1. Url: http://host.com:27015/auth.w?redir="><script>alert(document.cookie)</script>

2. Ingame name: just use a name like “><script>alert(/XSS/)</script>”. When someone is viewing the webmod page an alert with /XSS/ message will pop-up. Lame coding? Yes! This can be very annoing and dangerous if someone can find a way to use his name for cookie stealing. The best part is just coming in the next chapter.

Chapter 3

Cookie problem

Well this is actually very simple. The cookie contains rcon password in plain-text.

Chapter 4

Worst case scenario

Let's say that someone finds a way to download&execute files using the MOTD bug, let's say that someone will use his name as a cookie stealer and let's say that he will succed to steal the cookie from the server admin and find rcon password. This acces can help him to log in the webmod page and change the server MOTD content with his evil code. This can be very simple and a good way to inject malicious software on the players computers.

For a better understanding of what I'm saying just watch the video tutorial.

Nemessis | RstZone 2007

Video download link:


Password: rstzone


Vreau sa imi spuneti cum se aude sunetul pentru ca se pare ca am niste probleme cu codecurile audio si se cam aude din canal.

Link to comment
Share on other sites

tscc, daca ai fi cautat pe net ai fi vazut ca este un codec oferit de camtasia.

techsmith screen capture codec.

sunt multe variante prin care sa poti vedea filmul.

eu folosesc 1 singur player pentru toate filmele, si pentru toate formatele.

are suport pentru subtitrari, poate vedea prin streaming, poate reencoda, poate face ripping la streamuri, are codecuri incluse.

va prezint: kmplayer

(nu are legatura cu player-ul pentru linux mplayer)

Link to comment
Share on other sites

Stiu ca e cam vechi topicu....am incercat si eu ca in filmulet si am o problema....

1. pe calc personal ....nu imi deschidea comsetup.log , iar cand dadeam open la calc , imi dadea o eroare cu certificate....aia am reusit sa o scot si se deschide calc pana la urma.....dar comsetup.log tot nu mi-l deschide.

2. pe alt pc.....nu mi se intampla nimic....se inchide cs-u si atat.

Nu prea am eu treaba cu cookie-uri si astea dar eram curios totusi. Daca se poate un raspuns...multumesc.

Link to comment
Share on other sites

din cunostintele mele limitate nu prea ai cum sa spargi rconul, decat probabil printr-un brutforcer special facut pt asta, alta solutie ar fi un keyloger pe calculatorul unuia din admini care au rcon sau un sniffer/troian pe server, (cu troianul poti afla rconu si nu numai pentru ca poti umbla prin serverul respectiv). Acum creerea unui troian care sa nu fie detectat de catre antivirusi tine doar de tine, nu cred ca te va ajuta cineva de pe aici pentru asa ceva, iar instalarea troianului pe acel server e si mai complicata dar exista si acolo posibilitati :P

Link to comment
Share on other sites

Multumesc frumos pentru raspuns. Problema sta in felul urmator :

Eu detin Owner pe acel server, dar doresc sa aflu parola de la rcon, ca imi tot da stres cineva :) Stii.. ca nu ne putem caca in placerea omului.

Am tot citit , ca exista tot felul de posibilitati prin XSS-uri si de asta am apelat la voi.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...