Going trough ulx files I found [URL="https://github.com/Nayruden/Ulysses/blob/9fbfda1f0f938e7ffd20777963231eeead4f4658/ulib/lua/ulib/server/player.lua#L192"]this[/URL]. I was bit surprised how ulx devs missed such thing in the first place. I then decided to test the exploit where I am just an admin(without any rcon permissions), and it did work.
*snip*
Some people will probably hate me or something, but I just want to let the public know. Public exploits get fixed fastest :).
[b]Edit:[/b]
[URL="https://github.com/Nayruden/Ulysses/commit/c4aa01eed84f2b2365949899fd71d20ca3824097"]Fixed.[/URL]
*snip*
You don't have access to this command, Mr.Weegeeman!
:- )
I have alerted a ULX dev to this, it will be fixed soon hopefully. :)
[url=https://github.com/Nayruden/Ulysses/commit/c4aa01eed84f2b2365949899fd71d20ca3824097]Fixed.[/url]
[QUOTE=edgarasf123;46852960]Public exploits get fixed fastest :).[/QUOTE]
At the very least, give us a day or two of notice. We take these bugs very seriously, and we make it our highest priority to fix them. (This fix was incredibly simple, anyways.)
That was a big problem, nice find.
there are many times when posting exploits publicly is completely fine for example
a.) the devs won't respond
b.) the devs won't let you help them
c.) it's a very large game and it will take forever to contact the developers/get a patch in the game and it's more urgent
however, this is a time imo that you should not publicly inform everyone about because
a.) multiple servers may be hacked from the result when the update could have been pushed through and gone unnoticed by most skids
b.) stickly man is easy to contact afaik, and iirc he's online steam often. not sure if he accepts friend requests though but you can easily inform him in many other less community damaging ways
good find nevertheless
[QUOTE=nettsam;46853820]there are many times when posting exploits publicly is completely fine for example
a.) the devs won't respond
b.) the devs won't let you help them
c.) it's a very large game and it will take forever to contact the developers/get a patch in the game and it's more urgent
however, this is a time imo that you should not publicly inform everyone about because
a.) multiple servers may be hacked from the result when the update could have been pushed through and gone unnoticed by most skids
b.) stickly man is easy to contact afaik, and iirc he's online steam often. not sure if he accepts friend requests though but you can easily inform him in many other less community damaging ways
good find nevertheless[/QUOTE]
Well I'm happy that it was fixed in an hour. But this thread is also to inform server owners. Without this thread, server owners won't know that the exploit exist and won't update their ulx mod as not everyone have automated updates.
I would suggest Team Ulysses to add some kind of update notifier in situations like this.
[QUOTE=edgarasf123;46854029]Well I'm happy that it was fixed in an hour. But this thread is also to inform server owners. Without this thread, server owners won't know that the exploit exist and won't update their ulx mod as not everyone have automated updates.
I would suggest Team Ulysses to add some kind of update notifier in situations like this.[/QUOTE]
I was thinking the same thing like darkrps motd but ulx rarely has large exploits like this so it's not really important
in all honesty the only way they are going to figure out (or care really) is when their server gets hacked and they come crying to the forums
it wouldn't be an issue if the skids didnt know about the exploit in the first place
[editline]4th January 2015[/editline]
OH I JUST REALIZED ITS ONLY THE REASON NOT THE NAME
Proper ethical notification would indeed have been to notify any one of our team members and allow us to respond. Our web site has a "Contact Us" page, and we monitor our email daily.
Extra thanks to the community member who notified us indirectly of this thread.
[QUOTE=nettsam;46853820]
a.) multiple servers may be hacked from the result when the update could have been pushed through and gone unnoticed by most skids[/QUOTE]
Luckily, this issue only applies to admins that have access to "ulx ban" or "ulx banid", who should be more trustworthy than any random user joining the server (or so I would hope). It also applies to any users that are allowed "ulx voteban" (which is not given to "user" by default), but this generally requires a majority vote, and admin approval. I think the reason is displayed to everyone at least once, so it's at least detectible that something fishy is going on.
[QUOTE=nettsam;46853820]b.) stickly man is easy to contact afaik, and iirc he's online steam often. not sure if he accepts friend requests though but you can easily inform him in many other less community damaging ways[/QUOTE]
I'm *generally* easy to contact, provided I don't have too much going on IRL lol. Emailing the team at [email]team@ulyssesmod.net[/email] is the best, PMs here or on our Ulyssesmod.net forums are good as well, and I'm okay with Steam friend requests, but leave a message on my profile to increase my likeliness of accepting.
With regards to this issue, I'm just lucky I decided to check Facepunch when I did- caught this thread 20 minutes after it was posted. :P
[QUOTE=edgarasf123;46854029]I would suggest Team Ulysses to add some kind of update notifier in situations like this.[/QUOTE]
Keeping everyone up to date has been a problem as of late- we haven't had time to put together a release with all of our bugfixes, and it seems most people install the release before the "development" version. Either way, we are investigating ways to improve this moving forward.
edgarasf123:
Thank you for finding this and posting it. You are certainly right that public exploits get fixed fastest.
I was notified almost immediately after you posted this, and Stickly Man messaged me that he had already had a fix before I even had a chance to look at the code.
Now that a fix has been compiled and pushed, it might be best if you at LEAST remove the specifics from your main post.
Your post has served its purpose and now all it is doing is allowing would-be script kiddies to learn a way to exploit servers who haven't updated yet.
If you would, please remove the details on how to perform this exploit from your post. I know we'd appreciate it.
Really nice find.
I don't really understand why the ulx devs don't just use RunConsoleCommand since it handles escaping for you.
There's also another ulx plugin that allows admins to change the rpname (still around). While doing it it sends a notification to all users like
[CODE]
ply:SendLua("User changed name to " .. rpname)
[/CODE]
It's pretty much the same type of exploit and can also be used to take over servers.
How do you prevent escaping and then subsequent exploits?
[QUOTE=syl0r;46857681]Really nice find.
I don't really understand why the ulx devs don't just use RunConsoleCommand since it handles escaping for you.
There's also another ulx plugin that allows admins to change the rpname (still around). While doing it it sends a notification to all users like
[CODE]
ply:SendLua("User changed name to " .. rpname)
[/CODE]
It's pretty much the same type of exploit and can also be used to take over servers.[/QUOTE]
We have no control over the content of unofficial ULX plugins. ULX and ULib were designed to be modular and extendable making it easy for anyone to write plugins or extensions.
Sorry, you need to Log In to post a reply to this thread.
