ULX

Author Topic: SECURITY NOTICE - ALL DarkRP Gamemode Users And Hosts  (Read 12161 times)

0 Members and 1 Guest are viewing this topic.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
SECURITY NOTICE - ALL DarkRP Gamemode Users And Hosts
« on: January 25, 2008, 06:06:26 PM »
SECURITY NOTICE - DARKRP GAMEMODE
To DarkRP users, ALL CURRENT KNOWN VERSIONS
It has come to Team Ulysses attention that an exploit exists within the DarkRP gamemode.
This exploit has the dire consequence of allowing NON administrative users to run any Lua code they want as server console. R00T ACCESS!!
The examples that were called to our attention were shown to have the user adding themself as a ULX superadmin using the DarkRP exploit.
This is NOT an exploit of ULX. ANY DarkRP server could be taken advantage of whether it is using ULX or not.
Even if you are not a DarkRP host, the exploit may allow actions to be taken against you as a DarkRP player.
At this point, there is no action we can take to protect our Gmod community family from this exploit other than recommending you stop using the DarkRP gamemode.
AGAIN, we CAN NOT prevent the exploit from occurring. It is inherent to DarkRP. Removing ULX will not fix the exploit.
Please attempt to contact the DarkRP authors and ask them to correct the exploit.

« Last Edit: January 25, 2008, 08:41:45 PM by JamminR »
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Phil

  • Guest

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: SECURITY NOTICE - ALL DarkRP Gamemode Users And Hosts
« Reply #2 on: February 11, 2008, 11:21:36 AM »
 Though the fixes used seem better with Phil's suggestion, the original DarkRP base is flawed.
We urge caution to any of the users who may use it's derivatives.
We aren't urging people not to try the one Phil suggested, we're just saying be careful.

Phil's upload makes mention of a swiss army knife RP... I'm not familiar with this, but the exploit in the DarkRP code we mention was unintentional.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Phil

  • Guest
Re: SECURITY NOTICE - ALL DarkRP Gamemode Users And Hosts
« Reply #3 on: February 12, 2008, 02:11:36 AM »
To follow up,

My version above is based on a version called "DarkRP 2008 V2.2 (fixed)" which has now been removed by its' author.

In his version, he fixed the vulnerability and added his own sneaky back door so that he could gain control of rcon servers in a way such that whatever they set their rcon password to in the future, it would be impossible to stop him getting in, even _AFTER_ they have removed DarkRP


My version is his fixed version but it also removes his hack and fixes some other issues. I have audited it closely and don't believe there is any other way of getting in now.

To see what happened, see this thread:

http://forums.facepunchstudios.com/showthread.php?t=486564