• Print

Author Topic: New viruses  (Read 11 times)

0 Members and 1 Guest are viewing this topic.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
New viruses
« on: October 12, 2006, 09:04:17 am »
Alright, we better brace ourselves for the next generation of lua viruses after Valve put in those (insufficient) blocks.

Viruses can continue to exist by downloading themselves as a config file and running from there.

Here's a list of files that autoexec from the cfg directory, in order of load precedence:

On client startup
  • config.cfg
  • lua.txt -- No threat
  • valve.rc
  • joystick.cfg
  • autoexec.cfg

On listen server start:
  • serverconfig.txt -- No threat
  • game.cfg
  • skill.cfg
  • listenserver.cfg
  • server_allows.txt -- No thread

Of these, the default client does not have:
  • valve.rc
  • joystick.cfg
  • autoexec.cfg
  • skill.cfg
  • listenserver.cfg

Fixing this (as far as I can see, only remaining exploit) is a simple matter of clients creating these files. As far as I know, .res file cannot overwrite existing files.
Experiencing God's grace one day at a time.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: New viruses
« Reply #1 on: October 12, 2006, 09:19:48 am »
Okay, I just tested downloading config files to a client via .res... It appears it's been blocked, yay!

Another way virii could spread is by making a menu in which you press a button to activate the virus. I'll go look into this.

Update:
The above method is possible, but something similar to my "SendMenu" plugin could easily be used as the delivery system as well. Unfortunately, we can't trust users not to press a mysterious button in their spawn menu...

It's important to note that this would only be effective while running a listen server... but the button could easily be rigged to disconnect the user, start a listen server, and then run the virus command.

Anyone have ideas for a solution?

Another update:
I informed garry of this exploit, waiting for a response. I've got to go to school for now, hope we can spawn some ideas to prevent this!

Yet another update:
Here's the log from the chat with garry:
Quote
(10:33:10) (Megiddo) Garry, lua viruses aren't dead yet. You can still send exploitive commands in spawnmenus.
(10:33:52) (Megiddo) The server could give the client an ambigous file, give them a button on the spawn menu that would disconnect them from the current server, run a listen server, and execute that file.
(11:07:07) (garry) huh
(11:07:20) (garry) could that happen on any source game though
(12:42:42) (Megiddo) No, since it's using the spawn menu
(13:26:47) (garry) yeah but couldn't you use that meta mod thing to launch console commands on them
(13:28:12) (Megiddo) Good point. You could use a plugin to give them a virus and effectively run it.
(13:28:27) (Megiddo) I guess there's just no avoiding viruses then?
(13:28:35) (garry) I don't think you could
(13:28:47) (garry) else people would be doing it already
(13:29:15) (Megiddo) It was a lot easier with the previous methods
(13:29:46) (Megiddo) GM10 won't be able to write files outside of the gmod folder will it?
(13:29:59) (garry) won't be able to write outside the data/ folder
(13:30:25) (Megiddo) Ah, good.
(13:30:41) (Megiddo) Thanks for your time garry

Guess there's no hope of virus extermination? (By the way, this log stays private, don't let anyone else see it.)
« Last Edit: October 12, 2006, 12:35:22 pm by Megiddo »
Experiencing God's grace one day at a time.

  • Print