Slashdot Mirror
Denial of Service bounty hunters
lightPhoenix writes "Get this, John Carmack, god of id & quake 3 arena, is offering a bounty for exposure of game server exploits. Check it out. " It's down the page a bit-but it's there. That's a cool idea.
← Back to Stories (view on slashdot.org)
This isn't news. Its been around for weeks. Everybody in the world and their grandmother knows about this. i can only speak for myself, but i'm sick of hearing about it. so quit crying because CT won't post your old news.
THe earlier article here at slashdot was titled NOS and it had several stories and comments about all 3 os's. THis one is just an article discusing web serving and their are no comments are exapmles of real world situations other then NT. GO check it out for yourself. ITs a different article but its probably based on the same results as the previous benchmark or someone at zdlabs wanted to do something wiht linux and solaris while the test machines were still at their offices.
That's pretty stupid, that's an old bug from QW days, shouldn't have been in there in the first place.
Use netcat. I used to give myself admin access to any quake 1 server in the world with a spoofed source IP (from ID software's subnet) and a certain password. I also wrote a script to exploit a buffer overflow, but never got it do do anything but segfault the server. ;)
There were all kinds of buffer exploits and ways to crash the server.
Check out the BugTraq archives. There were several against Q1
Is there a name for 10e23? You know, million (10e6), billion(10e9), trillion(10e12), quadrillion (10e15), etc. So a mole would be 620 [word for 10e21].
Carmack did say that the code already had something like "FIXME: make vsprintf safe" next to it, just he hadn't got around to fixing it.
:-)
Nice and honest of him to pay out the money for something they already knew about.
If only Carmack was a woman, I'd want to shag him senseless.
--Nudel
What does it mean? I think (disclaimer: it's been about 10 years since I took chemistry & physics) that it's the number of molecules of a gas in a given volume (don't remember the volume). Anyone care to correct?
Isaac-Lew, chiming in from work
Did you mean fixing or finding? If you meant finding, we'd all be rich with $100 bounties and have closets full of some misc bit of MS paraphenalia.
American as an adjective does not exclusively define the English-speaking world, especially since the numbers you describe are latin-based.
The keys to my car aren't "intellectual property." Information that somebody discovers through strenouous testing is a product of their work.
Think of the possiblities if exploits of Microsoft products acquired cash-value on a competetive market....
I found (out of shear bordem) that the DoS attacks like teardrop, pepsi, and those sort would crash Q2 Servers (atleast running with the GUI also.. never tried any other sort) I was bored one day and my roommate was hosting a game. I sent a teardrop to his q2 port, and boom.. BSOD. I believe his box was even patched with the UDP/TCP patches (i *believe* so).. someone might want to check those out and see what they come up with under q3
-Holiday
Yes, it uses UDP.
Avagadro's number is 6.022 x 10^23. This number can be applied to anything. Generaly, it is used in chemistry and physics as simple means of defining ammounts of substances independently of weight. Avagadro's number is the number of atoms in a mass of a pure element that has a mass equal to it's atomic weight in grams. For example, oxygen has an a.w. of 16 so 16 grams of O2 contains 6.022E23 atoms of oxygen
Thus, combining 1 mole of O2 and two moles od H2 gives you 2 moles of H2O. This makes it much clearer than saying you used 32 grams of O2 and 4 grams of H2 to produce 36 grams of water. You might say "that's no problem" but you have to realize that has to be the easiest example around. It would be mighty awkward to determine the stoichiometry of many reactions with only the relative masses of the compounds involved.
It's fine to offer a 'bounty' like this, but I'd really like to see it hit the open market. Something like people who know of an exploit putting the info on ebay for open bidding. I'm sure there are people out there who'd pay more than Carmack, just for the fun of the hack.
It's kinda like back when Netscape was offering a cheesy free t-shirt to people who found bugs in the code. I mean, it's gotta be worth more than a t-shirt. Some private entity should have outbid them, because that sort of info is worth a LOT more than a t-shirt to the right interests.
Then again, the government has floors full of people at the NSA pounding away at anything and everything to find useful exploits to use in spying. So many more exploits are known by them than will ever be revealed.
That's dumbest idea I ever heard of.. think about it.
Would you appreciate if I found keys to your car and sold them in e-bay? I'm sure there are people out there who'd pay more than you.
Carmack is offering a small finders fee, just like you would for your car keys.
Doesn't quake use UDP?
Stands to reason that you wouldn't be able to connect to it via TCP then...
/AE
The default ports are:
Quake: 26000
QuakeWorld: 27500
Quake2: 27800(?)
Quake3: 27960
-Yarn - Rio Karma: Excellent
There is a Perl module that can do this; I just forget it's name, check CPAN. I had made a small program that would send out packets, for a sniffer program I was working on. The trouble I ran into was that since the kernel wasn't aware of these packets, it kept sending back reset packets. So I could send out one or two before the other server caught them and ignored everything else...
Donald Knuth has been paying people to find bugs in his software and books for a long time now. As the software matures and most bugs are fixed, the bounty goes up! Economics in action.
Well, if it was to accomplish anything useful, they'd pretty much have to open their code... it's hard to fix bugs in software you don't have the source for.
If you meant "find", rather than "fix"... I'm still not sure it would accomplish much of anything. I mean, there are enough MS users out there that someone has got to be reporting the bugs... They _have_ to know about them. They just aren't fixing them.
As Bill Gates said, there are no significant bugs in Microsoft's software. Everyone's just using it wrong...
(Methinks someone's in denial...)
I don't remember any DOS attacks against Quake 1 servers. Was it just a bitchin' protocol? Or was the net a kinder, gentler place then? Quake 2 did get hard though.
:)
It's kind of sad to see that there is even a need for this kind of bounty. I mean, what kind of loser takes down a game server? It's not like you're gonna get root and be l88T. You're just gonna cause inconvenience to people trying to have fun, and to a company that has a pretty shining record of being all-around good guys.
(although I bet if Romero find a good one he's not going to send it in...
Screw everyone hiding their flaws and prosecuting those who try to help them by showing where their software is wrong! Carmack has the EXACT RIGHT idea on how you go about making something safe and secure.
First you do your best to make sure there is nothing obvious or dumb. Then you basically offer a prize (money, recognition, hardware, etc.) to those who show you where your weaknesses are!
Bravo! I wish more people took after this methodology. Encourage, don't discourage the young minds!
This makes sense. If you push data at his port all day long, tehre's not so much he can do about it.
Heh. I suppose now would be an interesting time for me to bring up a Request For Software. I'd like something that does the opposite of tcpdump, i.e. given input of packets, say, FROM tcpdump, shove them onto the wire. There are a *large* number of *non*-hacking applications out there for something like this, mainly because the datastream can be tampered with using standard tools before it's piped back onto the wire. Of course, the key thing is against the servers, we can play lots of "here are a bunch of 'almost correct' packets--have fun!" games.
Think you can code this? Email me. I'll tell ya what other *major* functionality a tool like this would bring.
Yours Truly,
Dan Kaminsky
DoxPara Research
Once you pull the pin, Mr. Grenade is no longer your friend.
Ummm, he is offering a bounty, but not for OS targeted and some Denial of Service type attacks.
.plan:
Here's the exact quote from his
Operating system level attacks don't count -- only things that I can actually
fix or protect against in my code.
Denial of service attacks don't count if they require upkeep, but if there is
a fire-and-forget DOS attack, it will still count.
Anyone know this...before I start the port scanner. :-)
But I have what perhaps is a flame-ready topic:
What if Microsoft offered a similar bounty for fixing security holes in their software?
What would you say then?
(Besides the completely obvious joke about how they would shortly find themselves bankrupt...)
$asbestos = 1;
wait;
Check my Go-related blog for beginners: DGD
A) Something positive for hackers to get a hold of, and actually get attention for their exploits, and even get them fixed!
B) Positive feedback from the developer of the software, and appriciation.
C) A final product that would be far superior in security from DoS then if it had been released without this testing.
Definitely makes everyone happy.
-- Give him Head? Be a Beacon?
-- Give him Head? Be a Beacon? :P)
(If you can't figure out how to E-Mail me, Don't.
This patch was fixed in version 3.17 of Quake2 and all following releases and in version 2.1 of QuakeWorld and all following releases.
It was a piece of test code that got left QuakeWorld (and Quake2 inherited in the code base). QuakeWorld was never an "official" prouduct--it was only a test platform for new networking ideas such as prediction. As soon as it was identified, both games were patched and new versions were made available.
The exploit page you cite lists Quake1 (regular Quake) as vulnerable, which is bogus since Quake1 doesn't even have rcon facilities. It also states it isn't logged which is false since every rcon prints out on the console with the address it came from.
Root compromise? Any decent sysadmin would never run a Quakeworld or Quake2 server as root to begin with (the servers do not need special privledges).
This issue was dealt with quickly and appropriately.
/// Zoid.
How about the network-wide denial-of-service attack perpetrated by 6.02E23 people attempting to download the demo at once???
:-)
i just want the "misc bit of Q3A paraphenalia". ahh, what a damn cool company id is.
Sounds cool man. I guess if you can get the big exploits out fothe way now, playing ought to be a bit more reliable. BTW, hows that linux q3demo from yesterday? I never got a chance to dl it.
-earl
I don't get why he's putting bench marks stats on the QIII exploit discussion. But the OS can help with diffrent exploits.
"Windows 98 Second Edition works and players better than ever." -Microsoft's Home page on Win98SE.
I ate my tag line.
-=Ellis (D)25=-
Woah, I was way off.. Sorry about this miss information about the ports I posted. I may have been thinking of some other games. But the other information should help ya out thou.
"Windows 98 Second Edition works and players better than ever." -Microsoft's Home page on Win98SE.
I ate my tag line.
-=Ellis (D)25=-
It's true that American!=english speaking,
but the former British world uses a system like this:
10E6=million
10E9=thousand million
10E12=billion
etc. which is quite different from the US system (but in line with the system used in continental europe.)
'Q2 had several releases forced out because of malicious attacks on all the public servers'.
Uh, maybe this was because 'ID software blatantly put a backdoor in Quake 1/2 and QuakeWorld including both the Linux/Solaris Quake2. RCON commands sent from the subnet 192.246.40.0/24 and containing the password "tms" are automaticly executed on the server without being logged.'
'Vulnerable Systems: Those running Quake 1, QuakeWorld, Quake 2, Quake 2 Linux and Quake 2 Solaris, all versions. Thus many Windows and UNIX boxes are affected.'
'Compromise: root (remote).'
'Notes: Quake was always a horrible security hole, but I never thought Id would stoop to introducing an intentional backdoor to allow them access to systems running Quake. I am surprised this didn't get more publicity.'
The exploit was discovered by Mark Zielinski and is documented at www.insecure.org. You can find the fix here, but if you're looking for a patch, dream on...
Carmack has awarded the first bug. Apparently to do with an message passed from the server to the client with a %s embedded that chokes up vsprintf.
I think we should all get the prize, because apparently the server has been Slashdotted :-)
[spong@rush ~]$ telnet crashtest.idsoftware.com 27960
Trying 192.246.40.68...
telnet: Unable to connect to remote host: Connection refused
[spong@rush ~]$
"Software is like sex- the best is for free"
More likely, telnet service is just disabled. I get the same response if I try to telnet to my box on that port while running Q3 in dedicated mode.
The point was that those numbers would be different for non-americans. To Americans, a billion is a thousand million, but a British billion is quite a lot larger.
>>Sami Tammilehto wins the second prize. Some large connectionless packets can cause crashes.
>So! Who else recognizes that name? Does the name 'Future Crew' ring a bell? ^_^/
>Hehe. It's nice to see that those guys are still hanging in there.
Shit the name sounds right. Would that be possible? I loved they're second reality demo so much (because of the soundtrack)... And screamtracker!
Hey Sami! Maybe you're even reading this! Yes you! What happened?
aaaanyway, nostalgia...
I strongly believe that trying to be clever is detrimental to your health. -- Linus Torvalds
>Sami Tammilehto wins the second prize. Some large connectionless packets can cause crashes.
So! Who else recognizes that name? Does the name 'Future Crew' ring a bell? ^_^/
Hehe. It's nice to see that those guys are still hanging in there.
Cryptic Allusion - New Mac and Dreamcast Games!