Warning to GSPs (Game Service Provider) You can be hacked with a Leather Mod! - Rust

So I just realized that a leather mod is not sandboxed at all and can do pretty much anything the owning process controls, and since everything appears to be on windows with most GSPs, you are wide open to exploitation and data gathering, and even kernel exploits can be executed at ease at this point. So pretty much my recommendation is to use a method of sandboxing for your server mods, or else you can pay the price. [CODE]Loading mods... (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) Attempting to scan Assembly: C:\TCAFiles\Users\xxxxxx\xxxxxx\rust_server_Data\mods\LeatherPoC_mod (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) Non platform assembly: C:\TCAFiles\Users\xxxxxx\xxxxxx\rust_server_Data\mods\LeatherPoC_mod (this message is harmless) Located mod 'LOL HAX' with 1 MonoBehaviours to bootstrap. (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) Finished scanning for mods. (Filename: C:/BuildAgent/work/d3d49558e4d408f4/artifacts/StandalonePlayerGenerated/UnityEngineDebug.cpp Line: 53) --- Dirs: --- C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx C:\TCAFiles\Users\xxxxxx --- Doneski --- --- User Accounts with RDP --- xxxxxx/Administrator xxxxxx/xxxxxx xxxxxx/xxxxxx xxxxxx/xxxxxx --- Doneski ---[/CODE]

well "LeatherPoC_mod" is not default Leather mod or atleast not mentioned in this forum., it's definetly some "virus" who hacks yours information.Try to remove LeatherPoC_mod For now better install leather from here [url]http://facepunch.com/showthread.php?t=1339912[/url] By the way, can I get all rust_server_data folder? I may check about this one and tell you maybe here is something else too.

[QUOTE=PreFix;43464254]well "LeatherPoC_mod" is not default Leather mod, it's definetly some "virus" who hacks yours information.Try to remove LeatherPoC_mod For now better install leather from here [url]http://facepunch.com/showthread.php?t=1339912[/url][/QUOTE] I wrote the mod as a proof of concept. What it means is that a malicious server owner can exploit the parent server it is hosted on.

Then you should email this to garry.Because everybody can edit leather source as they want to.

It was known from the first day. Thanks for proving!

[QUOTE=Ideal-Hosting;43464308]It was known from the first day. Thanks for proving![/QUOTE] Not a problem, I wonder how the server files keep leaking as well... Leather.

You could just download from some hosters. Unfortunately.

[QUOTE=Ideal-Hosting;43464357]You could just download from some hosters. Unfortunately.[/QUOTE] Aw.... But some users would love to test server too :| for example I want to learn how to make some plugins but I don't want to pay for hosting while I could launch local server on mine pc.Seems Zidonuke has those Leaked Files(Because he has spoke about it) Or it really printed out all directories ? So.. I think it's really bad thing, because they can do something for other servers too :|

I don't think we are staying on track of this topic, remember this topic is here to ensure GSPs and the General Public know that 'Leather' can be used to exploit GSPs and gain information that shouldn't be available to others. -b3ck

If you're not already sandboxing your servers manually (i.e. running them under users who only have permissions for what they're supposed to be doing), you're not a very good GSP.

Neolith (Leather v2) coming out soon will have these security features. and ^

[QUOTE=Zidonuke;43464336]Not a problem, I wonder how the server files keep leaking as well... Leather.[/QUOTE] As the LeatherLoader guys use us for their testing server, I can assure you they are not the ones leaking server files. Also Leather just gives you the tools, you should always check if mod files are legitimate. This is nothing new.

most of the code comes bundled inside the client, i don't think they really care if server files get leaked at the moment. pretty easy to cut them off anyway.

Yes, we've been very straightforward about what Leather does- it runs arbitrary C# code with the same permissions as rust. GSPs are already aware, which is why many of them are examining which leather mods to permit individually, why ideal-hosting has chosen not to carry us for the moment, and why I've tried to open source everything I can. As mentioned, CoreCLR integration to provide better sandboxing is a planned feature for Leather. THAT SAID, as HFB servers pointed out to me, anyone with access to my source, and whom has access to the mainData file via their GSP, can put together a non-sandboxing version and install it themselves, even once sandboxing is implemented. It's really not an easy thing to keep the server files secure, and servers should take lengths to make sure that their own sensitive data is protected from the games they run.

[QUOTE=CanVox;43467069]Yes, we've been very straightforward about what Leather does- it runs arbitrary C# code with the same permissions as rust. GSPs are already aware, which is why many of them are examining which leather mods to permit individually, why ideal-hosting has chosen not to carry us for the moment, and why I've tried to open source everything I can. As mentioned, CoreCLR integration to provide better sandboxing is a planned feature for Leather. THAT SAID, as HFB servers pointed out to me, anyone with access to my source, and whom has access to the mainData file via their GSP, can put together a non-sandboxing version and install it themselves, even once sandboxing is implemented. It's really not an easy thing to keep the server files secure, and servers should take lengths to make sure that their own sensitive data is protected from the games they run.[/QUOTE] So is there any gsp with proper measures/security providing mod access then?

It depends what you consider an "exploit" I guess. If the idea of a hacker creating a Rust mod that downloads the server files really concerns you (the one thing a properly-configured GSP server is currently allowing leather mods to do), then FPSPlayers and HFBServers both have proper measures installed: users do not have the ability to upload arbitrary mods, and instead can choose from a list of approved mods to install from the cPanel. If downloading server files doesn't bother you, then most GSPs have proper security measures in place. The OP was apparently running Rust in an environment where Rust_server.exe had administrator access or something, which is, well, bad IT practice. EDIT: To put it another way, it's a good thing that the OP didn't list his GSP, as I'm sure there are several hackers reading this board who would like to know which GSP doesn't know how to configure their servers properly.

so basically, if you want to be extremely safe just disallow access to the rust_server_data folder and have a mod manager to install our mods for you (which are all open source) or (which GSP's should be doing anyway) launching rust as a user with no permissions to any other directory except it's own, therefore nobody can exploit it even if they have their own dll's. well, other than downloading the rust server files.

To illustrate my point, here is a thread wherein a user does the exact same thing with Oxide: [url]http://facepunch.com/showthread.php?t=1345525[/url]

Just so people know, Zidonuke is a scaremongerer and shit stirrer in just about every community where modding is possible. Also he's a furry who plays SecondLife. Hopefully we all learn from this thread. [url]http://en.wikifur.com/wiki/Zidonuke[/url] Some hilights: [quote] Zidonuke was a coder and administrator on F-List, but was banned in February 2011 after spying on users through the use of a TCP dumper.[6] Once discovered, he gave all users administrator access, removed bans, and published the site's code online. F-List Administration spent 5 days restoring the site entirely from backups.[7][8] [/quote] [quote] Zidonuke released versions of the Minecraft Server Daemon called Bukkit, which permitted old clients to connect to the new server. [9] However it was speculated the build was malicious when he begun to crash servers with an exploit in movement packets that allowed a floating point NaN (Not a number) to be used in the Y axis, putting the server into a infinite loop calculating physics. [/quote]

Well, this is incredibly interesting. Will I be gaining access to my rust_server_data folder again on HFBServers or is that a thing of the past?

[QUOTE=skyh;43473588]Well, this is incredibly interesting. Will I be gaining access to my rust_server_data folder again on HFBServers or is that a thing of the past?[/QUOTE] most likely not wich is why me/hubby are nolonger bothering with rust. i shoulden't have to wait on half assed GSP's to add crap.

The problem with GAPs only installing approved mods, is that I'm a developer and I want to make my own mods (which I have been doing) but I have absolutely no way to test these mods now without getting the content approved by my GSP. It is a super annoying process. I guess I just need to lease my services to oxide or rust++ or something, because trying to be an individual modder is working about as well as playing rust solo.

[QUOTE=luck^eh;43475849]The problem with GAPs only installing approved mods, is that I'm a developer and I want to make my own mods (which I have been doing) but I have absolutely no way to test these mods now without getting the content approved by my GSP. It is a super annoying process. I guess I just need to lease my services to oxide or rust++ or something, because trying to be an individual modder is working about as well as playing rust solo.[/QUOTE] I think they're jammed up with the sheer amount of requests they have, but I know that BMRF gives enough permissions to do mod testing, so I'd try to rent from them.

3:29 *** Jackx quit (Ping timeout: 240 seconds) 13:30 *** IceFrog quit (Quit: [url]http://www.mibbit.com[/url] ajax IRC Client) 13:39 *** Refreshmant quit () 13:55 *** Ziegenpeter joined #ArtificialAiming 13:57 *** Ziegenpeter quit () 14:00 *** Theocrat joined #ArtificialAiming 14:01 *** fuckthisname joined #ArtificialAiming 14:01 +++ Rizon has given halfop to fuckthisname 14:16 Zidonuke So I've noticed something about VAC, it doesn't seem to ban smart people 14:16 Zidonuke its such an odd effect!

[QUOTE=BARKx4;43471210]Just so people know, Zidonuke is a scaremongerer and shit stirrer in just about every community where modding is possible. Also he's a furry who plays SecondLife. Hopefully we all learn from this thread. Some hilights:[/QUOTE] Wow, reporting a possible exploit in the way GSPs handle permissions! Such a shit stirrer! You forgot the rest of the quote: [quote]Zidonuke released versions of the Minecraft Server Daemon called Bukkit, which permitted old clients to connect to the new server. [9] However it was speculated the build was malicious when he begun to crash servers with an exploit in movement packets that allowed a floating point NaN (Not a number) to be used in the Y axis, putting the server into a infinite loop calculating physics. The exploit existed in vanilla minecraft since version 1.0 and was reported by Zidonuke to Mojang multiple times before his demonstration. This build was proven legitimate by Dinnerbone, one of the project's developers and administrators, though it was later removed after an exploit was added to the source code post-release.[/quote] No, he didn't make a malicious build, it was already in Minecraft vanilla. Here's some more quotes from the exact same page: [quote]In the past he has jointly contributed to the upkeep of Huggle (an anti-vandalism tool used widely on Wikipedia), as well as contributing to Second Life by reporting various bugs in the service. However, he was later banned from Second Life by Linden Labs after reporting and exploiting various security issues with Vivox, A voice service in use by Second Life. In response, Zidonuke made an alternate SL account ("Zidonuke Ghost"), and has been using it ever since. He is also known for his contributions to improving server side security in the game Terraria on the TShock project.[/quote] He's a guy who exploits bugs to get them fixed. Ethical? Questionably, but it's not as evil as you make it out to be (keep in mind he reported all the exploits he found). And who the hell cares if he's a furry or he plays Second Life? It seems you're trying to stir shit more than he is.

[QUOTE=supersnail11;43492306]Wow, reporting a possible exploit in the way GSPs handle permissions! Such a shit stirrer! You forgot the rest of the quote: No, he didn't make a malicious build, it was already in Minecraft vanilla. Here's some more quotes from the exact same page: He's a guy who exploits bugs to get them fixed. Ethical? Questionably, but it's not as evil as you make it out to be (keep in mind he reported all the exploits he found). And who the hell cares if he's a furry or he plays Second Life? It seems you're trying to stir shit more than he is.[/QUOTE] He could've approached GSPs about it in private, like we did when we found a gamebreaking exploit, but no. He decided first thing to leak files and post it openly. If that isn't malicious then I don't know what is. Also being a furry who plays second life makes ALL the difference. EDIT: Also it wasn't "fixed". Most GSPs simply closed everything down completely wrecking the modding scene because they had to scramble, instead of being given a way to actually fix it.

[QUOTE=BMRFMULTIBEAR;43493098]He could've approached GSPs about it in private, like we did when we found a gamebreaking exploit, but no. He decided first thing to leak files and post it openly. If that isn't malicious then I don't know what is.[/quote] He did it to make it get fixed faster. Think, what's going to get fixed faster: an exploit that, as far as the GSP knows, only one person knows (but many more people might be exploiting it), or an exploit that everyone knows, and the GSP knows everyone knows? Sure, it might not be the most ethically sound (grey-hat), but garry doesn't care and it really didn't break anything. [quote]EDIT: Also it wasn't "fixed". Most GSPs simply closed everything down completely wrecking the modding scene because they had to scramble, instead of being given a way to actually fix it.[/QUOTE] It's not his fault that they didn't set their servers up right in the first place. Create a user only for running the server and chroot them to the server directory (or whatever the equivalent is on windows, though Rust has linux builds and they should really be using those). They can't touch anything but the server and any other files in that directory. If they bothered to set their servers up right in the first place, this would've been a non-issue. [quote]Also being a furry who plays second life makes ALL the difference.[/quote] No, it doesn't. [editline]11th January 2014[/editline] If you're still at a point in your life where you judge people on what they like to do, you're not really at a point where you can judge what someone else does.

Sorry but never knew what a furry was OR second life for that matter lol :O So i google it ! I Find this [url]http://www.youtube.com/watch?v=Tm8NNhA4ydg[/url]

[QUOTE=supersnail11;43494303]He did it to make it get fixed faster. Think, what's going to get fixed faster: an exploit that, as far as the GSP knows, only one person knows (but many more people might be exploiting it), or an exploit that everyone knows, and the GSP knows everyone knows? Sure, it might not be the most ethically sound (grey-hat), but garry doesn't care and it really didn't break anything. It's not his fault that they didn't set their servers up right in the first place. Create a user only for running the server and chroot them to the server directory (or whatever the equivalent is on windows, though Rust has linux builds and they should really be using those). They can't touch anything but the server and any other files in that directory. If they bothered to set their servers up right in the first place, this would've been a non-issue. No, it doesn't. [editline]11th January 2014[/editline] If you're still at a point in your life where you judge people on what they like to do, you're not really at a point where you can judge what someone else does.[/QUOTE] What are your excuses for the logger he installed in F-List so he could jerk off to peoples private conversations? Or the fact he adminned everyone in a fit when caught?

[QUOTE=BARKx4;43494411]What are your excuses for the logger he installed in F-List so he could jerk off to peoples private conversations? Or the fact he adminned everyone in a fit when caught?[/QUOTE] What's your excuse for bringing unrelated furry drama shit onto Facepunch when the situation is already handled (this exploit is already known, according to Ideal-Hosting)? Stop being a concern troll.