BF3 Server & Procon Console Showing rcon Pwd

[wyseguy79]

After setting up procon on my BF3 servers and letting my admins having access to it, one of my admins noticed while watching the console window that procon supplies that the rcon password is displayed in plain text.

So for example:

[11:26:57] login.plainText RCONPWD
[11:26:57] OK

I quickly went to the console window provided by NFO and started to watch, and was unable to see it.

By default the procon console window does not show it, you have to select "events" to be watched and then it starts showing.

I inquired with the procon forum first and after a day or two with them, they say its not procon showing the password. Their reasoning for this was due to us using the "debug" feature and the response now showing:

Code: Select all

[19:56:49] Server: request S: 421527552 [0-login.plainText] [1-XXXX]
[19:56:49] Server: response S: 421527552 [0-OK]

I was told that if it was the procon client, it would read:

Code: Select all

[08:14:54]   Client: request  S: 99     [0-login.plainText] [1-ThePassWord]
[08:14:55]   Client: response S: 99     [0-OK] (RE: [0-login.plainText] [1-ThePassWord])

I was wondering if anyone or NFO had any insight to this, as I really dont want my admins to see my rcon passwords.

Thanks guys!

[Edge100x]

This must be Procon showing commands and responses in its individual user session. BF3 also repeats the "login.plainText" bit to all other clients who are being sent events, but we filter it out of the "Server control" page output, and other clients wouldn't see the "OK".

This would not be shown to unauthenticated clients, so everyone who sees is presumably already knows the rcon password.

So fundamentally this is a limitation/bug in Procon. It's not a security problem with BF3, thankfully.

[wyseguy79]

Thanks for the info... The only thing that made me think the issue was isolated to me was that everyone else made it sound that when they view their console window they dont see the login.plainText with their servers. So I wasn't sure why only my servers are showing the information and all the other BF3 servers were not.

[Edge100x]

I've heard at least one other customer mention it. I don't know enough about Procon to say whether an option needs to be adjusted on that end.

[wyseguy79]

All they keep mentioning to me is how procon sends stuff encoded so that all passwords are hashed on the screen, etc, etc.

[Edge100x]

It seems as though it blindly shows what the server repeats to it. As a result, it will show our system's login request when our system changes server settings or starts its logging.

If Procon is showing that line to people you don't want to see it, they would need to adjust their software to change the behavior.

[wyseguy79]

Thanks

[TehKing]

I noticed this issue on our servers as well. The problem lies with NFOS admin daemon doing something silly when it connects. I've developed a kicker script for our website that uses the login command, and when it connects, the login command is not broadcasted like it is when the nfo daemon broadcasts a message.

The tools you guys are using must be executing commands in some strange way as such they are being broadcasted.

[Edge100x]

TehKing, we just login normally, with "login.plaintext".

The BF3 server only shows this login event to authenticated clients that are streaming events, and all of these clients already know the rcon password. I have seen no evidence of a bug that would result in an unauthenticated attacker learning the rcon password, apart from through sniffing the network traffic.

I have may change the system to use login.hashed instead. However, this is a slower method.

[TehKing]

The main issue is people port scanning procon server boxes. Your software for some reason broadcasts the passwords while no other software(bc2 or bf3) does including my own. So there must be something wrong on your end.

[Edge100x]

Could you elaborate on what you mean? Portscanning is when you determine the open and closed ports on a machine, and does not involve data transfer.

Do you mean to say that Procon is re-transmitting all server events, even to unauthorized clients? If so, that's a major security bug in Procon, and they need to get that fixed ASAP.

[TehKing]

Yes, thats what I am saying, I am worried about people port scanning procon boxes, then just listening for the passwords, as it is right now you dont need a password to get events. I've tried contacting them, but they've ignored my messages.

But theres still an issue that only NFO's software is causing an event to be sent in the first place.

[Edge100x]

In a nutshell, it sounds like we're telling the BF3 server its own password in order to log in, it's then repeating our login attempt to all authorized listeners, and Procon is further broadcasting that publicly. It is absolutely a mistake, and a major security problem, with Procon, to be broadcasting this and other events to anyone who cares to listen like this. Though we and DICE could potentially work around it on our ends, this is fundamentally not a problem with our daemon or with BF3, but with Procon, and would be trivial for them to address.

This means that Procon also must be sending out all commands and responses, all PB output, player GUIDs, and so on. That is not good.

[.=QUACK=.Major.Pain]

Pretty much anything that goes into the logs can be seen in the Procon console.
The other stuff isn't as much of a big deal, but when they make passwords available, something needs to be changed.

I don't recall this happening in bfbc2, so it may be more related to the game itself and something Procon has overlooked in their early stages. Note that Procon has only been updated once since the BF3 release that I have seen. Might be taken care of in future releases.

[Edge100x]

The BF:BC2 server doesn't repeat server commands back to all listeners, so you wouldn't see it under that game. You would still have information leakage through Procon, then, but not rcon password leakage.