Author Topic: ** ALL ADMINS: PLEASE READ ** ASAP  (Read 142 times)

0 Members and 1 Guest are viewing this topic.

Offline coolzeldad

  • ******
  • OwnerDonatorOld Forum MemberrNd DeveloperLinux UserWindows UserDog LoverLeague PlayerDWO Player
    View More Badges!

  • Posts: 3333
  • I eat ddos for breakfast OMNOMONOM
    • .:`=-~rANdOm~`-=:. Game Servers
** ALL ADMINS: PLEASE READ ** ASAP
« on: March 23, 2011, 01:03:36 PM »
Please set your client port to some random number between 1-65535

To do this:

1. Open up your game library
2. Right-Click on Garry's Mod and go to the Properties menu.
3. Click on the Set Launch Options button
4. add +clientport #NUMBER (EX: +clientport 27462)
5. Click OK

This is a preventative measure with a recent exploit in the source engine.

Thanks for reading!
-coolz
« Last Edit: March 23, 2011, 05:45:46 PM by coolzeldad »
 ▲
▲▲Big thanks to Marie for this awesome sprite! :3

Spoiler: Moar Imagez (click to show/hide)
pingaz
Thanks Cryptokid!

Thanks gamefreak!


-- My youtube: http://www.youtube.com/coolzeldad
-- My deviantart: http://coolzeldad.deviantart.com
-- My soundcloud: http://www.soundcloud.com/coolzeldad
-- My ustream: http://www.ustream.tv/channel/coolzeldapingaz
-- My twitchtv: http://www.twitch.tv/coolzeldad

-- rNd Wiki: http://wiki.randomgs.com
-- rNd Youtube: http://www.youtube.com/RandomgsProductions
-- rNd Steam Group: http://steamcommunity.com/groups/r_A_N_d_O_m

Spoiler: rNd Typography (click to show/hide)





Every time you download Garry's Mod illegally, Garry makes a bug.

When people ask me "Plz" because its shorter than "Please" I feel perfectly justified to answer "No" because its shorter than "Yes".

derp herp lerp perp kerp serp zerp - say faiv timez fazt


Offline coolzeldad

  • ******
  • OwnerDonatorOld Forum MemberrNd DeveloperLinux UserWindows UserDog LoverLeague PlayerDWO Player
    View More Badges!

  • Posts: 3333
  • I eat ddos for breakfast OMNOMONOM
    • .:`=-~rANdOm~`-=:. Game Servers
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #1 on: March 23, 2011, 01:12:13 PM »
Make sure it's +clientport and not -port or -clientport
« Last Edit: March 23, 2011, 05:50:18 PM by coolzeldad »
 ▲
▲▲Big thanks to Marie for this awesome sprite! :3

Spoiler: Moar Imagez (click to show/hide)
pingaz
Thanks Cryptokid!

Thanks gamefreak!


-- My youtube: http://www.youtube.com/coolzeldad
-- My deviantart: http://coolzeldad.deviantart.com
-- My soundcloud: http://www.soundcloud.com/coolzeldad
-- My ustream: http://www.ustream.tv/channel/coolzeldapingaz
-- My twitchtv: http://www.twitch.tv/coolzeldad

-- rNd Wiki: http://wiki.randomgs.com
-- rNd Youtube: http://www.youtube.com/RandomgsProductions
-- rNd Steam Group: http://steamcommunity.com/groups/r_A_N_d_O_m

Spoiler: rNd Typography (click to show/hide)





Every time you download Garry's Mod illegally, Garry makes a bug.

When people ask me "Plz" because its shorter than "Please" I feel perfectly justified to answer "No" because its shorter than "Yes".

derp herp lerp perp kerp serp zerp - say faiv timez fazt


Offline » Magic «

  • i play pc computer
  • ***
  • Windows UserLinux UserLeague PlayerOld Forum MemberCat LoverDedicated Summoner
    View More Badges!

  • Posts: 5075
  • Gender: Male
  • ↑ ↑ ↓ ↓ ← → ← → B A
    • MagiCorp
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #2 on: March 23, 2011, 01:54:20 PM »
details on wut the risk is? ;o

Offline jimonions

  • the text below is true
  • *****
  • Old Forum MemberWindows User
    View More Badges!

  • Posts: 822
  • Gender: Female
  • the text above is not true
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #3 on: March 23, 2011, 03:55:37 PM »
dun

(JBanned) .:RND`=- DJ myppl8: if i eva become supa admin id ban moo and make hima guest

Offline Tomcat

  • Your Argument is Inert
  • ******
  • Donator
    View More Badges!

  • Posts: 2539
  • Gender: Male
  • Wat Do?
    • Tomcat's blog
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #4 on: March 23, 2011, 04:36:01 PM »
its funny because i already changed mine way before this

:)

Offline Minic

  • *
  • Windows UserLinux UserApple UserOld Forum MemberrNd Developer
    View More Badges!

  • Posts: 42
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #5 on: March 23, 2011, 05:42:57 PM »
details on wut the risk is? ;o

Typically when a Source Engine exploit arises, it's target is the server... I normally reproduce it, and mitigate it, no one ever really gets any details from me aside from coolzeldad.

Seeing as this attack is directed at clients. I feel you guys should be in the know.



First of all, I want to make it clear that I am revealing this information in good faith that it will help you better understand the situation and identify an attack. Not for you to attempt to reproduce it or reveal it to anyone else.

With that being said, we haven't seen this attack yet in the wild, but having heard through various sources vague details of the attack. I was able to reproduce it.

Basically, a malicious attacker sends a spoofed packet to your game client "from" the server... Your game client happily accepts it and does it's thing.



In this attack reproduction I was able to send a "LuaCmd" user message to the client, which Garry's Mod uses internally for functions like ply:SendLua() etc....

Essentially, an attacker is able to SendLua() you stuff, perhaps a lot more also, but user messages were the only thing I felt the need to reproduce.

Since your game client has server side Administrative permissions... I think you see where this is going.



This exploit, along with another I've already fixed (the server revealing your IP and client port to anyone connected to the server) is more than enough to exploit this vulnerability.




Anyway, here's a screenshot of my reproduction.

Sorry for the huge image, I have dual LCD's at 1920x1080 each :)

http://filesmelt.com/dl/maVAthAZEswujU5A.png




Basically what you're seeing is, an attacker SendLua() some stuff to a Administrators game client, which causes it to kill a bot...

Nothing major of course, but depending on the attackers motivations, this could potentially be very bad, such as them promoting themselves to Temp Admin etc.



I would like to add an additional bit of information.

1. The attacker does not need to be in-game to exploit this.

2. This attack causes your game client and server to become out of sync, and you will timeout. If you notice in the screen shot at the top right, I am timing out.

3. +clientport <random port> is not enough to totally mitigate this attack. An attacker can get your IP from Steam Voice Chat for instance, and fire his packet to all 65535 ports.

4. I can think of a few logical ways to totally mitigate this attack, the most obvious is to hook WinSock functions in the client which is a bit risky when it comes to VAC... Another would be to do deep packet inspection at your router and drop said malicious packet.



The ideas to totally mitigate this attack outlined in #4 aren't to plausible for everyone. What I have done personally is made a rule on my router's firewall that will alert me if any packet is sent to UDP port 27005 (the default client port).

That will not fix the issue, but it will most certainly arise my suspicion and allow me to disconnect from the game and investigate further.



If you have any further questions regarding this attack, please post them here and I will be happy to clarify any confusion.



And no... You can not have my script. :trollface:



I also would like to add that it is +clientport and not -clientport...
If you have set -clientport, please change it to +clientport.

Offline coolzeldad

  • ******
  • OwnerDonatorOld Forum MemberrNd DeveloperLinux UserWindows UserDog LoverLeague PlayerDWO Player
    View More Badges!

  • Posts: 3333
  • I eat ddos for breakfast OMNOMONOM
    • .:`=-~rANdOm~`-=:. Game Servers
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #6 on: March 23, 2011, 05:54:27 PM »
And no... You can not have my script. :trollface:

Was I not supposed to upload that to every public file-sharing venue available?
:omgwtftrolld:
 ▲
▲▲Big thanks to Marie for this awesome sprite! :3

Spoiler: Moar Imagez (click to show/hide)
pingaz
Thanks Cryptokid!

Thanks gamefreak!


-- My youtube: http://www.youtube.com/coolzeldad
-- My deviantart: http://coolzeldad.deviantart.com
-- My soundcloud: http://www.soundcloud.com/coolzeldad
-- My ustream: http://www.ustream.tv/channel/coolzeldapingaz
-- My twitchtv: http://www.twitch.tv/coolzeldad

-- rNd Wiki: http://wiki.randomgs.com
-- rNd Youtube: http://www.youtube.com/RandomgsProductions
-- rNd Steam Group: http://steamcommunity.com/groups/r_A_N_d_O_m

Spoiler: rNd Typography (click to show/hide)





Every time you download Garry's Mod illegally, Garry makes a bug.

When people ask me "Plz" because its shorter than "Please" I feel perfectly justified to answer "No" because its shorter than "Yes".

derp herp lerp perp kerp serp zerp - say faiv timez fazt


Offline » Magic «

  • i play pc computer
  • ***
  • Windows UserLinux UserLeague PlayerOld Forum MemberCat LoverDedicated Summoner
    View More Badges!

  • Posts: 5075
  • Gender: Male
  • ↑ ↑ ↓ ↓ ← → ← → B A
    • MagiCorp
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #7 on: March 24, 2011, 01:55:44 PM »
mmz, k thx for advising

Offline Tomcat

  • Your Argument is Inert
  • ******
  • Donator
    View More Badges!

  • Posts: 2539
  • Gender: Male
  • Wat Do?
    • Tomcat's blog
Re: ** ALL ADMINS: PLEASE READ ** ASAP
« Reply #8 on: March 24, 2011, 08:09:28 PM »
doing it right