Fix For Durgzmod(sv will be hacked without this lua line change)

Ok, now, I’m not sure if this exists elsewhere, but a server that I know of got hacked, the admins, who didn’t want it to happen to other servers, came to my darkrp server with the name “!rcon rcon_password “password””. The first who came to this server while one of my subordinate admins was on banned him, permanently, saying that he was threatening to hack the server. I believe his reasoning was hasty, and the next day, while I was on, another guy came on doing the same thing. Because I wasn’t afraid of his claims that he could “hack the server” I simply froze him, and told him to change his name. Every time he changed his name back, I froze him again, and the third time, I went to him, and he was in the sewers(rp_downtown_v2) with some cigarettes as a drug dealer. He told me that he was trying to warn me and my associate Charles Wenzel about a potential hack of the server. We came to the conclusion that if he had taken the cigarrettes(after any rcon possesing admin had enterred their rcon password to console) that he would be able to force the command rcon_password “password” on us, which would change the password to password, then allowing him to change it to whatever he wanted and fuck with the server. Knowing the right commands to the server, and with no one with direct control over the server(to stop it manually) present, he would be able to remove every other admin and make himself an admin. He would be able to run lua command on the server and possibly, wipe it clean. This is the fix to this problem, very simple, please don’t have your server get knocked on its ass like that other server that will go unnamed unless they should come visit this thread and say something about it. Allright, this is all you have to do. Go to line 22 of durgz_cigarrete/init.lua and change line 22 which should look very similar to this:

pl:ConCommand(“say I think that “…activator:Nick()…” is COOL.”)

Now when someone takes drugs rather then the name being the first thing everyone else says(allowing people to force rcon commands) people will say “I think that” first. OR you could just remove the whole line, or the cigarretes themselves, but I like Cigarretes, and therefore, I think that I am cool :slight_smile:

It doesn’t work that way…

ply:Nick() will return a string… It won’t run a command.

I assume !rcon is a chat command on your server, but pl:ConCommand will run on pl’s client, and unless they have access to !rcon in the first place, it won’t do anything.

There was a problem with DarkRP a while ago, a similar injection exploit, but I’m sure it’s been fixed.

It does run a command if the command is the string. If his name is !rcon rcon_password “password” and someone in the server has put the rcon password into console, yes it will force the command to change the rcon password. And no, I can guarantee you if you go download from cheesylards most recent update of this on www.garrysmod.org, you will find the same exploit there. I’m telling you this becaust its proven. Not because I’m guessing. If you are gonna call Bullshit then go tell that to all the admins who saw their server reduced to nothing in a matter of minutes as all their admin was revoked and they were made powerless to do anything. The server I am talking about just got put up, without durgzmod althought I did tell one of their admins what to change to remove the exploit.

I was talking about a similar exploit in DarkRP.

[lua]
for id,pl in pairs(player.GetAll())do

		if(pl != activator)then
			pl:ConCommand("say "..activator:Nick().." is COOL.")
		end
		
	end

[/lua]
This is the problem. If any of the players on the server has the rights to the !rcon command, it will be run on their client. activator:Nick() DOES return a string, it DOES NOT run the command. It just so happens that the player can change their name to whatever chat command they like, and if there is an admin on the server, they will be forced to say it.

You shouldn’t have any admins with rcon rights in a plugin, if you trust them with rcon, give them the actual rcon password.

If you want to fix it, remove the whole for loop at lines 19 - 25.

You can’t run any concommands with ‘rcon’ in them.

Yes, with ULX, you can. If you have your rcon password put into console, you can for instance type !rcon kickid <unique or steamid> and it will kick that player by console. By starting the command with rcon, you are substituting typing the prefix command rcon into console, anything that comes after, if it is a valid console command, it will be executed. Now you can’t merge rcon commands with ulx commands like for instance !rcon kick bob, as all the command !rcon does is run the command in console with rcon prefixed.

[editline]10:46PM[/editline]

I have three super admins to exclude myself all of whom know the rcon password. They never have to use it though because ulx is simple that way. Plus, in an RP server where the difference between a player’s rp name and their Steam name/ID cn become a factor, having ulx is an issue. Luckily the log system that ulx offers accounts for most of the people that try crashing the server. Speaking of which, we had one guy, say he was going to crash the server, left, and rejoined and the server went down. The last thing on the console log was _____ has connected with their steam id lol. Perma ban. Sorry to go off topic though lol. Anyway, if anyone knows of a good plugin that runs a command to match rpnames with steam IDs then that would be great.

You can’t run a ConCommand with ply:ConCommand() if it has the word ‘rcon’ in it.
If my name was ‘Lexi;ulx kick bob’, then that would kick bob.
If my name was ‘!rcon rcon_password “password”’, nothing would happen.
Even if it did happen, you would say “I think that !rcon rcon_password “password” is COOL!”, which last I checked isn’t a valid ULX command.
This is a fairly large exploit, as it allows people to (in an incredibly obvious way) run console commands on all clients (As long as they don’t get blocked by one of the many censors). Unfortunately you don’t seem to grasp how large it is, or how to use it.
I would, however, advise anyone who uses the mod to either strip the command, or change it to
pl:ConCommand(“say I think that “…activator:Nick():sub(”;”,"")…" is COOL.")

Or you could just get this version that gets rid of all the talking anyway: http://www.garrysmod.org/downloads/?a=view&id=63955, less spam and less exploitable.

gsub, not sub
pl:ConCommand(“say I think that “…activator:Nick():gsub(”;”,"")…" is COOL.")

No, I wasn’t saying that OUR version of init.lua is still vulnerable. Of course if they say “I think that NICK is cool” there is no danger there. And I don’t know for sure if the use of semi colens was involved all I know is that a server went down because of this. The original line “NICK is cool” is what allowed it.

All this doesnt work anyway since ply:ConCommand() was blocked by garry, you’d have to go and run this:


BroadcastLua([[RunConsoleCommand("say",activator:Nick().." bla w/e")]])

DarkRP had the problem with


game.ConsoleCommand("kick "..ply:Name().."
")

which apparently can be used for command injections… (";rcon_password h4x)

Don’t be dumb. Any command with rcon in it will get blocked.

The exploit in the post above was fixed a long time ago, I think.