ULX

Author Topic: ULX exploit and/or bug.  (Read 36200 times)

0 Members and 4 Guests are viewing this topic.

Offline ceribik

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: ULX exploit and/or bug.
« Reply #15 on: March 06, 2011, 03:55:17 AM »
I can confirm this. It's happened to at least another two AUSTRALIAN gmod community servers (other than the OP's), including ours. I suspect this is a zero-day exploit.

The facts:
-Admins' accounts, rcon password, or physical server has *not* been compromised.
-ULX Log files indicate that admins are executing commands
----- Sometimes: into chat (i.e. "!slay *")
----- This chat isn't logged in the normal gmod log file.
-Admins are *not* executing these commands themselves (i.e. they're not rogue).
-Whenever 'this' occurs, admins/clients receive huge choke and some (the admins, and possibly others?) lose connection to the server. Most (all?) of the other players stay connected.


Correlations
-At least 2 out of the 3 servers being attacked are using the SVN version of ULX. I wasn't able to contact the other.

Related events
-The MOTD (ulx's?) is being *temporarily* changed to be porn-like for *some* users, but the actual MOTD files (ulx_motd.txt/htm) are not being changed.
--- this occurs around the same time as the huge choke/lag.


We're running the the latest stable version of TTT. I'll post the 'ulx debuginfo' output later.


This needs to be solved ASAP.
« Last Edit: March 06, 2011, 04:01:01 AM by ceribik »

Offline Pantho

  • Newbie
  • *
  • Posts: 39
  • Karma: 2
Re: ULX exploit and/or bug.
« Reply #16 on: March 06, 2011, 07:00:09 AM »
Read my post here:
http://www.facepunch.com/threads/1066753-Very-serious-exploit-hack-currently.?p=28453640#post28453640

This isn't actually directly ULX fault. But he person selling these exploit/hacks are selling it in levels. The cheapest of which just runs "ulx adduser name superadmin" on player just before using a DoS on that player.

Offline Aaron113

  • Hero Member
  • *****
  • Posts: 803
  • Karma: 102
Re: ULX exploit and/or bug.
« Reply #17 on: March 06, 2011, 08:44:45 AM »
Mmm, yeah.  I think I was experiencing this on another server I'm admin on.  We ended up tracing down who the player was and banned him.  Although, this server does not use ULX, it still sounds very familiar to what he was doing.

EDIT:  I'm not sure if he was able to make himself Super or not.

Offline krooks

  • Sr. Member
  • ****
  • Posts: 382
  • Karma: 32
  • I don't like video games.
    • Diamond Krooks
Re: ULX exploit and/or bug.
« Reply #18 on: March 06, 2011, 09:44:58 AM »
Wow thanks for the insight, I'll be disabling voice chat in the meantime!
My TTT server. Join the fun!

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX exploit and/or bug.
« Reply #19 on: March 06, 2011, 10:19:50 AM »
Figured it didn't have anything to do with ULX, but you can protect yourself from permanent damage by running the commands listed on the previous page. Or does disabling voice chat protect everyone entirely?
Experiencing God's grace one day at a time.

Offline ceribik

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: ULX exploit and/or bug.
« Reply #20 on: March 06, 2011, 01:05:56 PM »
So it basically works by DoSing an admin (i won't explain exactly how they got their IP, but just via voice chat) and then spoofing themselves as the admin they DoS'd?

I suppose if admins didnt use voice chat, it could also work as a temporary fix?

Figured it didn't have anything to do with ULX, but you can protect yourself from permanent damage by running the commands listed on the previous page. Or does disabling voice chat protect everyone entirely?

That wouldn't really do much, other than stopping themselves from adding them as admin and such. They can still spoof themselves as an admin and do whatever. I suppose this isnt really an ULX issue then.
« Last Edit: March 06, 2011, 01:27:41 PM by ceribik »

Offline Pantho

  • Newbie
  • *
  • Posts: 39
  • Karma: 2
Re: ULX exploit and/or bug.
« Reply #21 on: March 06, 2011, 03:42:07 PM »
You seem to misunderstand.

It's not done via ingame voice chat.
 
It is done via STEAM Friends voice chat. They can start a call with you, even if they are not on your friends list. To get a victims IP you do not need to be in a game with them, or vis versa.
They do need to be ingame with you to spoof the packets however.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: ULX exploit and/or bug.
« Reply #22 on: March 06, 2011, 03:45:18 PM »
t I can tell of this discussion and the one on Facepunch (which, only has about 4 relevant posts of discussion as of this comment), yes, it is a DDOS, which then uses any admin mod, ULX or not, to then do evil bidding.

I wonder, just theoretically, that most of the affected servers are in AU because the primary (not necessarily only) person causing trouble is in AU.
I'd imagine that attacking non-AU servers, from AU, using a DDOS across a longer route and transatlantic cables would cause a high enough latency that being successful with the DDOS would be more challenging.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX exploit and/or bug.
« Reply #23 on: March 06, 2011, 03:51:45 PM »
You seem to misunderstand.

It's not done via ingame voice chat.
 
It is done via STEAM Friends voice chat. They can start a call with you, even if they are not on your friends list. To get a victims IP you do not need to be in a game with them, or vis versa.
They do need to be ingame with you to spoof the packets however.

Ah, that makes much more sense. So then valve is simply relying on users not knowing other users' IPs in order to not spoof their traffic. And to stop the original client from interfering, it's DDoS'd. Honestly not sure what valve can do to stop this without adding a ton of overhead to their protocol...
Experiencing God's grace one day at a time.

Offline Pantho

  • Newbie
  • *
  • Posts: 39
  • Karma: 2
Re: ULX exploit and/or bug.
« Reply #24 on: March 06, 2011, 04:31:21 PM »
Disable voice option?

Not giving your IP unless you answer the call would be a start.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX exploit and/or bug.
« Reply #25 on: March 06, 2011, 05:36:39 PM »
Disable voice option?

Not giving your IP unless you answer the call would be a start.

Ah, didn't realize it was quite that bad. That would definitely be a good start. :)
Experiencing God's grace one day at a time.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX exploit and/or bug.
« Reply #26 on: March 06, 2011, 08:57:34 PM »
In ULib rev 184 I added a security feature that stops this exploit from working on ULX, assuming the exploit works the way I think it does. You all will have to let me know if an admin mysteriously times out and another player in the server starts cursing. ;)

Thanks to Stickly Man for the inspiration that led to this.

Technical details:
When a player joins the server, the server generates a random number for the player and hands it off the player. The player must then pass this secret number back to the server every time they execute a command that is registered through ULib. If the player hands off the wrong secret then their command is ignored. In a packet spoof attack, the attacker won't know what this secret is and won't be able to execute the command.
« Last Edit: March 06, 2011, 09:00:11 PM by Megiddo »
Experiencing God's grace one day at a time.

Offline krooks

  • Sr. Member
  • ****
  • Posts: 382
  • Karma: 32
  • I don't like video games.
    • Diamond Krooks
Re: ULX exploit and/or bug.
« Reply #27 on: March 06, 2011, 09:16:34 PM »
Good job! In general, that just sounds like a great preventative even if thats not actually whats going on in this whole mystery.
My TTT server. Join the fun!

Offline NaRyan

  • Newbie
  • *
  • Posts: 39
  • Karma: 1
Re: ULX exploit and/or bug.
« Reply #28 on: March 06, 2011, 11:28:27 PM »
Oh wow. I never realised the exploit was that easy to be abused.
I had 4 players on my TTT server this morning (02:00 - 04:00GMT) abusing the heck out of the server.
They had got access to Sourcemod Admin, and were kicking,banning,slaying,map changing, cvar changing and also got the rcon password.
They also somehow got access to the Sourcebans login and deleted 2 Admins before they banned them from my servers.

Mind you I got no idea how they got the sourcebans login info, as only 2 Admins can delete other Admins.
Myself and another player I trust with that right, we were both online, but neither of us were ingame (I had woke up to find the trouble going on)

So until valve fixes this exploit *cough*, I take it my best bet would be to switch to ULX since it has some sort of protection against this problem?
As at the moment all 3 GMOD servers run Sourcemod and 2 of them run Evolve.

As both my Fretta and TTT servers are quite popular, and I need to have something to deal with any silly players, while keeping it easy for Admins and trouble free for my requlars.

I shall give ULX a try and let you know if things work well.
*If you hear a lot of shouting from the UK it's just me telling my Admins to shut up and deal with a different Admin addon  :P

Offline Pantho

  • Newbie
  • *
  • Posts: 39
  • Karma: 2
Re: ULX exploit and/or bug.
« Reply #29 on: March 07, 2011, 03:58:26 AM »
In ULib rev 184 I added a security feature that stops this exploit from working on ULX, assuming the exploit works the way I think it does. You all will have to let me know if an admin mysteriously times out and another player in the server starts cursing. ;)

Thanks to Stickly Man for the inspiration that led to this.

Technical details:
When a player joins the server, the server generates a random number for the player and hands it off the player. The player must then pass this secret number back to the server every time they execute a command that is registered through ULib. If the player hands off the wrong secret then their command is ignored. In a packet spoof attack, the attacker won't know what this secret is and won't be able to execute the command.

CURSE YOU!

You're sadly awesome, now I have to update my ULX for the first time in forever and remake all my edits. Like adding Lexi's Sourceban functions to ban etc.

But it is worth it for the fix, I'll update our servers asap -