From: SourceForge.net <no...@so...> - 2005-04-27 03:35:08
|
Bugs item #1190598, was opened at 2005-04-26 15:14 Message generated for change (Comment added) made by dtremenak You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=103248&aid=1190598&group_id=3248 Category: BZFlag Group: Network problems Status: Open Resolution: None Priority: 5 Submitted By: Richard Rauch (rkrolib) Assigned to: Nobody/Anonymous (nobody) Summary: Client password can be compromised! Initial Comment: I checked under "any" (open/closed/etc.) to see if there was anything like this already filed. I couldn't find such, so it may be relavent though I am not using the 2.x clients. (I'm using 1.10.6 from pkgsrc, with 2 further pkgsrc revision patches on top of that.) While I was playing, a player informed me that he had my password. He told me the password, so he truly had it. I cannot think of any way that he could have gotten it from me, except by hacking it out of the client. (I never tell anyone the password. I never use it for anything else. There is no relation to my callsign. I had been logged in for quite some time before this player even logged in, so I doubt that he was monitoring the channel with some kind of packet-sniffer.) Perhaps a minute before he told me my own password, my lag jumped very high on the server, so I am guessing that he stole my password by some kind of flood of my client that caused bzflag to divulge buffers, histories, or even to re-validate itself. He never disclosed how he got my password. Since there is no record of this as an old problem that was fixed in the bugs database, I assume that it is an unknown problem and may still affect the 2.x clients. ---------------------------------------------------------------------- >Comment By: Daniel Remenak (dtremenak) Date: 2005-04-26 20:35 Message: Logged In: YES user_id=553378 As discussed on IRC, commenting here for the record. The client is not ever aware of passwords used in /identify. Furthermore, remote clients never even have other clients' IP addresses unless they're admins. Also, a buffer overflow system is extremely unlikely since every differently compiled copy of bzflag will have different memory addresses; the likelyhood that someone would develop a specific egg for 1.10.6-nb2 is exceedingly small...most crackers would go after a high-profile target like 1.10.8-win32 first. The /identify local registration system is flawed in that the server always recieves your password in plain text. It's written into the logs as plain text and into the bzfs passwd file as an MD5 sum. Anyone with shell or log access to the server, or who's developed a system of compromising the server, can rip off your password with minimal effort. If the person in question should not have had shell or log access you may want to ask the server owner to check for remote exploits. The global identification system in 2.x only sends the password to the master list server, which means individual server operators never have access to it. I've written the pkgsrc scripts for 2.0.2 and will submit them as soon as they've been confirmed to work on NetBSD. Please submit future bugs against 2.x, since 1.x is no longer maintained. Anyhow, thanks for the detailed report! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=103248&aid=1190598&group_id=3248 |