Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RCON cd allows full browsing #6193

Open
DorpsGek opened this issue Dec 27, 2014 · 10 comments
Open

RCON cd allows full browsing #6193

DorpsGek opened this issue Dec 27, 2014 · 10 comments
Labels
bug flyspray security

Comments

@DorpsGek
Copy link

@DorpsGek DorpsGek commented Dec 27, 2014

Sp1k3 opened the ticket and wrote:

Hi,

When we were looking around with rcon on the ottdc stable server we started noticing that it was possible to browse the complete filesystem using rcon. Which is something that allows "fellow" players to explore the servers filesystem and get information which could be enough to find weakness in a system (for example).

Possible solution would be to limit RCON with a sort of chroot kinda variable which defaults to the path OTTD is in but paths can be added in the config. This allows users (and distro maintainers) to add paths where needed while still keeping rcon contained. And should a user (on *NIX systems for example) want to add / it's a risk they want to take.

Just my 2 cents in this case. For more info/ideas poke me or pm cause had discussion already :)

Reported version: trunk
Operating system: All


This issue was imported from FlySpray: https://bugs.openttd.org/task/6193
@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Dec 27, 2014

The_Dude wrote:

Shouldn't be enough to limit the user folder access under which the openttd is running?


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13664

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Dec 27, 2014

Sp1k3 wrote:

If OTTD comes from a distro it might have different (perhaps even separated) folders


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13665

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Dec 28, 2014

Hazzard wrote:

Since the `!rcon cd` command only seems able to move one (relative) folder at a time, it could be enought to blacklist a single folder. (Might have to worry about symlinks, not sure how openttd handles them). It wouldn't be too difficult to go all the way to just check if the user is entering a subfolder.

Some openttd.cfg setting like `rcon_root` or maybe `rcon_scope` (disabled/unused by default) would be a good way to configure it.

Side note, hypothetically you could do this by placing the openttd run location in an unreadable (by openttd) folder, but when I tried it it was "unabled to get back to working directory" or something similar, since it seemed to be using some absolute paths.


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13666

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Jan 2, 2015

peter1138 wrote:

Perhaps don't give people you don't trust access to your rcon password?


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13687

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Jan 3, 2015

Sp1k3 wrote:

That is something I agree and disagree with at the same time. Yes you should only give rcon access to ppl you trust. But SOAP? Or things that might for some reason get around rcon (unknown bug who knows). It might just be my security mindset here. But that's where I come from these days. Possible attack vectors should be covered. In ottdc's case we run each server in a separate container. But not everybody has that possibility and being able to look into a file system of a server should not be possible unless it's the paths it's supposed to be in. And not my /etc folder. Should something be discovered, /etc/passwd is just a few commands away, allowing usernames to be seen, next step bruteforce.


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13691

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Jan 3, 2015

krinn wrote:

You don't need any names from /etc/passwd, as one name is already known: root
And many other names are known as they are common in a distro version (just browse the file and look all names you didn't add yourself in). Or by social engineering, it wouldn't be big surprising your host have a Sp1k3 user ;)

If you don't trust your users, you should work on that instead of trying to hide their names.
And even without any name given, unhandle bruteforce attempts allow DoS attack.
https://en.wikipedia.org/wiki/Security_through_obscurity is a broken concept.


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13694

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Jan 11, 2015

adf88 wrote:

It's not just about /etc/passwd. An attacker can crawl over the filesystem to find weaknesses e.g. some buggy services that are installed. Browsing out of openttd folder should be disabled by default.

Some people may not realize that his/her rcon password is that much important. The password should give acces to openttd, not to whole system.
Also rcon authentication is far from being truly safe (AFAIK the password goes in a plain text).


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment13703

@DorpsGek
Copy link
Author

@DorpsGek DorpsGek commented Mar 13, 2017

peter1138 wrote:

What are the ls, cd, and cwd commands used for?

What would be a sensible constraint?


This comment was imported from FlySpray: https://bugs.openttd.org/task/6193#comment14367

@DorpsGek DorpsGek added Core flyspray labels Apr 7, 2018
@TrueBrain
Copy link
Member

@TrueBrain TrueBrain commented Apr 13, 2018

Fully agree that full filesystem listing is silly. It always stroked me as odd that we allow navigation like that. Of course the console was never meant to be used as an rcon, but is now anyway.

Possibly it is better to allow settings folders where savegames can be in for servers, and disallow 'cd' and friends.

@frosch123 frosch123 removed the Core label Apr 14, 2018
@andythenorth andythenorth added stale bug and removed bug labels Jan 5, 2019
@TrueBrain TrueBrain added security and removed stale labels Jan 24, 2019
@James103
Copy link
Contributor

@James103 James103 commented Jul 18, 2019

Would it be possible to have a permissions config file where each console command and setting has a number going from -1 to 254, where -1 or 255 = infinity, as well as a way to set the permission level of clients (those commands always have infinite permission level)? This would mean that while servers can always execute any command or setting change that they can already do, clients can't execute any command or setting change with permission level higher than their own, with an error message saying that you don't have permission to use that command.

The reasoning for this is that just the RCON password and the RCON cd folder blacklist may not be enough, as clients can still force a server to restart the game or change settings for the worse of others. Adding the permissions system will hopefully limit those malicious actions and make for a better multiplayer experience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug flyspray security
Projects
None yet
Development

No branches or pull requests

5 participants