ULX exploit and/or bug.

[ceribik]

I can confirm this. It's happened to at least another two AUSTRALIAN gmod community servers (other than the OP's), including ours. I suspect this is a zero-day exploit.

The facts:
-Admins' accounts, rcon password, or physical server has *not* been compromised.
-ULX Log files indicate that admins are executing commands
----- Sometimes: into chat (i.e. "!slay *")
----- This chat isn't logged in the normal gmod log file.
-Admins are *not* executing these commands themselves (i.e. they're not rogue).
-Whenever 'this' occurs, admins/clients receive huge choke and some (the admins, and possibly others?) lose connection to the server. Most (all?) of the other players stay connected.


Correlations
-At least 2 out of the 3 servers being attacked are using the SVN version of ULX. I wasn't able to contact the other.

Related events
-The MOTD (ulx's?) is being *temporarily* changed to be porn-like for *some* users, but the actual MOTD files (ulx_motd.txt/htm) are not being changed.
--- this occurs around the same time as the huge choke/lag.


We're running the the latest stable version of TTT. I'll post the 'ulx debuginfo' output later.


This needs to be solved ASAP.

[Pantho]

Read my post here:
http://www.facepunch.com/threads/1066753-Very-serious-exploit-hack-currently.?p=28453640#post28453640

This isn't actually directly ULX fault. But he person selling these exploit/hacks are selling it in levels. The cheapest of which just runs "ulx adduser name superadmin" on player just before using a DoS on that player.

[Aaron113]

Mmm, yeah.  I think I was experiencing this on another server I'm admin on.  We ended up tracing down who the player was and banned him.  Although, this server does not use ULX, it still sounds very familiar to what he was doing.

EDIT:  I'm not sure if he was able to make himself Super or not.

[krooks]

Wow thanks for the insight, I'll be disabling voice chat in the meantime!

[Megiddo]

Figured it didn't have anything to do with ULX, but you can protect yourself from permanent damage by running the commands listed on the previous page. Or does disabling voice chat protect everyone entirely?

[ceribik]

So it basically works by DoSing an admin (i won't explain exactly how they got their IP, but just via voice chat) and then spoofing themselves as the admin they DoS'd?

I suppose if admins didnt use voice chat, it could also work as a temporary fix?

Figured it didn't have anything to do with ULX, but you can protect yourself from permanent damage by running the commands listed on the previous page. Or does disabling voice chat protect everyone entirely?

That wouldn't really do much, other than stopping themselves from adding them as admin and such. They can still spoof themselves as an admin and do whatever. I suppose this isnt really an ULX issue then.

[Pantho]

You seem to misunderstand.

It's not done via ingame voice chat.
 
It is done via STEAM Friends voice chat. They can start a call with you, even if they are not on your friends list. To get a victims IP you do not need to be in a game with them, or vis versa.
They do need to be ingame with you to spoof the packets however.

[JamminR]

t I can tell of this discussion and the one on Facepunch (which, only has about 4 relevant posts of discussion as of this comment), yes, it is a DDOS, which then uses any admin mod, ULX or not, to then do evil bidding.

I wonder, just theoretically, that most of the affected servers are in AU because the primary (not necessarily only) person causing trouble is in AU.
I'd imagine that attacking non-AU servers, from AU, using a DDOS across a longer route and transatlantic cables would cause a high enough latency that being successful with the DDOS would be more challenging.

[Megiddo]

You seem to misunderstand.

It's not done via ingame voice chat.
 
It is done via STEAM Friends voice chat. They can start a call with you, even if they are not on your friends list. To get a victims IP you do not need to be in a game with them, or vis versa.
They do need to be ingame with you to spoof the packets however.

Ah, that makes much more sense. So then valve is simply relying on users not knowing other users' IPs in order to not spoof their traffic. And to stop the original client from interfering, it's DDoS'd. Honestly not sure what valve can do to stop this without adding a ton of overhead to their protocol...

[Pantho]

Disable voice option?

Not giving your IP unless you answer the call would be a start.

[Megiddo]

Disable voice option?

Not giving your IP unless you answer the call would be a start.

Ah, didn't realize it was quite that bad. That would definitely be a good start.

[Megiddo]

In ULib rev 184 I added a security feature that stops this exploit from working on ULX, assuming the exploit works the way I think it does. You all will have to let me know if an admin mysteriously times out and another player in the server starts cursing.

Thanks to Stickly Man for the inspiration that led to this.

Technical details:
When a player joins the server, the server generates a random number for the player and hands it off the player. The player must then pass this secret number back to the server every time they execute a command that is registered through ULib. If the player hands off the wrong secret then their command is ignored. In a packet spoof attack, the attacker won't know what this secret is and won't be able to execute the command.

[krooks]

Good job! In general, that just sounds like a great preventative even if thats not actually whats going on in this whole mystery.

[NaRyan]

Oh wow. I never realised the exploit was that easy to be abused.
I had 4 players on my TTT server this morning (02:00 - 04:00GMT) abusing the heck out of the server.
They had got access to Sourcemod Admin, and were kicking,banning,slaying,map changing, cvar changing and also got the rcon password.
They also somehow got access to the Sourcebans login and deleted 2 Admins before they banned them from my servers.

Mind you I got no idea how they got the sourcebans login info, as only 2 Admins can delete other Admins.
Myself and another player I trust with that right, we were both online, but neither of us were ingame (I had woke up to find the trouble going on)

So until valve fixes this exploit *cough*, I take it my best bet would be to switch to ULX since it has some sort of protection against this problem?
As at the moment all 3 GMOD servers run Sourcemod and 2 of them run Evolve.

As both my Fretta and TTT servers are quite popular, and I need to have something to deal with any silly players, while keeping it easy for Admins and trouble free for my requlars.

I shall give ULX a try and let you know if things work well.
*If you hear a lot of shouting from the UK it's just me telling my Admins to shut up and deal with a different Admin addon 

[Pantho]

In ULib rev 184 I added a security feature that stops this exploit from working on ULX, assuming the exploit works the way I think it does. You all will have to let me know if an admin mysteriously times out and another player in the server starts cursing.

Thanks to Stickly Man for the inspiration that led to this.

Technical details:
When a player joins the server, the server generates a random number for the player and hands it off the player. The player must then pass this secret number back to the server every time they execute a command that is registered through ULib. If the player hands off the wrong secret then their command is ignored. In a packet spoof attack, the attacker won't know what this secret is and won't be able to execute the command.

CURSE YOU!

You're sadly awesome, now I have to update my ULX for the first time in forever and remake all my edits. Like adding Lexi's Sourceban functions to ban etc.

But it is worth it for the fix, I'll update our servers asap -