Restricted (Read Only) > Moderators
** ALL ADMINS: PLEASE READ ** ASAP
Minic:
--- Quote from: » Magic « on March 23, 2011, 01:54:20 PM ---details on wut the risk is? ;o
--- End quote ---
Typically when a Source Engine exploit arises, it's target is the server... I normally reproduce it, and mitigate it, no one ever really gets any details from me aside from coolzeldad.
Seeing as this attack is directed at clients. I feel you guys should be in the know.
First of all, I want to make it clear that I am revealing this information in good faith that it will help you better understand the situation and identify an attack. Not for you to attempt to reproduce it or reveal it to anyone else.
With that being said, we haven't seen this attack yet in the wild, but having heard through various sources vague details of the attack. I was able to reproduce it.
Basically, a malicious attacker sends a spoofed packet to your game client "from" the server... Your game client happily accepts it and does it's thing.
In this attack reproduction I was able to send a "LuaCmd" user message to the client, which Garry's Mod uses internally for functions like ply:SendLua() etc....
Essentially, an attacker is able to SendLua() you stuff, perhaps a lot more also, but user messages were the only thing I felt the need to reproduce.
Since your game client has server side Administrative permissions... I think you see where this is going.
This exploit, along with another I've already fixed (the server revealing your IP and client port to anyone connected to the server) is more than enough to exploit this vulnerability.
Anyway, here's a screenshot of my reproduction.
Sorry for the huge image, I have dual LCD's at 1920x1080 each :)
http://filesmelt.com/dl/maVAthAZEswujU5A.png
Basically what you're seeing is, an attacker SendLua() some stuff to a Administrators game client, which causes it to kill a bot...
Nothing major of course, but depending on the attackers motivations, this could potentially be very bad, such as them promoting themselves to Temp Admin etc.
I would like to add an additional bit of information.
1. The attacker does not need to be in-game to exploit this.
2. This attack causes your game client and server to become out of sync, and you will timeout. If you notice in the screen shot at the top right, I am timing out.
3. +clientport <random port> is not enough to totally mitigate this attack. An attacker can get your IP from Steam Voice Chat for instance, and fire his packet to all 65535 ports.
4. I can think of a few logical ways to totally mitigate this attack, the most obvious is to hook WinSock functions in the client which is a bit risky when it comes to VAC... Another would be to do deep packet inspection at your router and drop said malicious packet.
The ideas to totally mitigate this attack outlined in #4 aren't to plausible for everyone. What I have done personally is made a rule on my router's firewall that will alert me if any packet is sent to UDP port 27005 (the default client port).
That will not fix the issue, but it will most certainly arise my suspicion and allow me to disconnect from the game and investigate further.
If you have any further questions regarding this attack, please post them here and I will be happy to clarify any confusion.
And no... You can not have my script. :trollface:
I also would like to add that it is +clientport and not -clientport...
If you have set -clientport, please change it to +clientport.
coolzeldad:
--- Quote from: Minic on March 23, 2011, 05:42:57 PM ---And no... You can not have my script. :trollface:
--- End quote ---
Was I not supposed to upload that to every public file-sharing venue available?
:omgwtftrolld:
» Magic «:
mmz, k thx for advising
Tomcat:
doing it right
Navigation
[0] Message Index
[*] Previous page
Go to full version