• Print

Author Topic: Heads up: There's a command injection bug in ULX that can be used maliciously.  (Read 18 times)

0 Members and 1 Guest are viewing this topic.

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
I just came across this: http://facepunch.com/showthread.php?t=1444703. In case it gets deleted, here's the original post.
Quote
Going trough ulx files I found this. I was bit surprised how ulx devs missed such thing in the first place. I then decided to test the exploit where I am just an admin(without any rcon permissions), and it did work.



Code: [Select]
ulx ban "paxan" 1 "english only\n;sv_airaccelerate 100"
It should also also work with "voteban" as it execute same function as "ban". And some servers do allow regular players to execute "voteban", so this exploit is not restricted just to admins.

Some people will probably hate me or something, but I just want to let the public know. Public exploits get fixed fastest :).


While I certainly don't agree with how this was just publicly dumped (a PM and a few days time to fix would have been nice), it is a problem that needs a fix. I've tested it myself:
Code: [Select]
] ulx banid "STEAM_0:1:123" 0 ";say hi"
You banned steamid STEAM_0:1:123 permanently (;say hi)
Console: hi

Essentially, this means that any user that has access to ban, banid, or voteban (much more likely) without a whitelisted reason string can run any command they want on the console.

I'm going to do a temporary fix which just removes semicolons from the reason string (other parameters seem to be unaffected), and we can work out a better solution if we need to in the future.
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Patch has been made: https://github.com/Nayruden/Ulysses/commit/c4aa01eed84f2b2365949899fd71d20ca3824097

Getting this patch to people is going to be the hard part. Hey Megiddo, now's a good time to buckle down and get a new release out? :P
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
And point our website to "working" github download http anchor links along with SVN links that will only work in SVN.
Once people click on the SVN link that gives error 404, they give up and download the almost 2 year old code.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Yeah.. that would help as well.

Should we make a news post about this informing people to do an update? The info is already publicly available, but some server owners may not find out or bother updating for a while.
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
I'd recommend a news update, yes.
No direct details. Not even sure I'd mention ban reason in the news release.
Just 'we were notified of a command injection possibility, and it's fixed in our latest github, available <link> here for direct ZIP, and <link> for SVN.' type heads up.
Is TheCommander a user here with a different nickname?
If so, thank them directly as their Ulysses nick name for the heads up about another person finding it.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Fortunately, this exploit is relatively low risk, since it's visible in voteban and assumed to be a somewhat trusted agent if they have ban directly.

I would like to release soonish. The only thing on my list that I didn't get a chance to get to for the next release is custom hooks for targeting -- but that's low priority, anyways.
Experiencing God's grace one day at a time.

  • Print