Re: AP, rigged, etc. #8981.4 - there was no superuser account
[ QUOTE ]
Quote:
This is a special client. The server might be cooperating with it (possible, but not likely), or the special client might simply pluck the hole card data from wherever it is stored on the server.
The server in this instance would most definately be cooperating, in so much as verifying the clients authentication to recieve the data.
Otherwise, any Tom, Dick, or Harry could write their own customized client to retrieve the data. This doesn't happen because the server doesn't allow unauthorized access.
In the original example from your quote, the server is cooperating by allowing it...etc.
[/ QUOTE ]
I was referring to the poker server software. The poker server doesn't have to have special code to cooperate with a superuser client. I would consider it a fairly serious vulnerability if it did. The superuser client merely has to have elevated privileges that the operating system on the server honors.
I believe what we're looking at is a superuser (or root) account using a special client (a client for the operating system, not the poker server) designed to pluck hole card data from server storage and display it to the superuser at the remote end.
Obviously, if you have root access, you don't need the special client. You can just poke around and grep hole card data in a shell. But that would be a pain, and I think this whole system dates back to the design of the software itself. It would make much more sense to whip up a crude client, for testing purposes, that could do little more than display cards. When used from a root account, the client has access to all the cards.
The other possibility is that the special display client exists on the server itself. I believe this is less likely, simply because it would have been less convenient in the testing phase and more complicated to write (due to the network code that would have to be developed).
|