• Print

Author Topic: ULX Exploit involving client uploaded files  (Read 25 times)

0 Members and 1 Guest are viewing this topic.

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
ULX Exploit involving client uploaded files
« on: September 20, 2015, 10:24:18 pm »
Hey everyone,

Willox from Facepunch (Github) has just contacted me on Steam regarding an exploit he found where ULX can execute a client-uploaded config.txt file via the custom gamemode/map config feature.
I have not yet had time to look into a fix, as I need to be getting to bed. I will email Megiddo of this thread so we can work out a fix quickly. Any input any of you have is always appreciated!


Here are the nitty-gritty details:

1. The attacked server has sv_allowupload enabled.
2. The malicious user prepares a config.txt file containing whatever console commands they want to be run on the sever.
3. The user illegally uploads the config.txt to the server with a specially crafted filepath. (This is done using modules, sourcenet, or other tools, i.e., not in your average Gmod client)
4. This file ends up in the server's download folder, for example: garrysmod/download/data/ulx/gamemodes/sandbox/config.txt
5. When ULX loads per-gamemode and per-map configurations, it will use ULib.fileExists and ULib.fileRead.
6. The download folder is considered in the "GAME" path, thus ULib will find and read these files, and ULX will execute them.

I have tested this on my own local dedicated server by using the following file:
Quote from: garrysmod\download\data\ulx\gamemodes\sandbox\config.txt
say "H4XED BY DUMBO"
say "ELEPHANTS $ ALL"

.. And sure enough, on server start:
Code: [Select]
[ULIB] Loading SHARED module: ulx_init.lua
///////////////////////////////
//       ULX Admin Mod       //
///////////////////////////////
// Loading...                //
//  sh_defines.lua           //
//  lib.lua                  //
//  base.lua                 //
//  sh_base.lua              //
//  log.lua                  //
//  MODULE: slots.lua        //
//  MODULE: uteam.lua        //
//  MODULE: votemap.lua      //
//  MODULE: xgui_server.lua  //
///////////////////////////////
// ULX GUI -- by Stickly Man //
///////////////////////////////
// Adding Main Modules..     //
//  bans.lua                 //
//  commands.lua             //
//  groups.lua               //
//  maps.lua                 //
//  settings.lua             //
// Adding Setting Modules..  //
//  client.lua               //
//  server.lua               //
// Adding Gamemode Modules.. //
//  sandbox.lua              //
// Loading Server Modules..  //
//  sv_bans.lua              //
//  sv_groups.lua            //
//  sv_maps.lua              //
//  sv_sandbox.lua           //
//  sv_settings.lua          //
// XGUI modules added!       //
///////////////////////////////
//  MODULE: chat.lua         //
//  MODULE: fun.lua          //
//  MODULE: menus.lua        //
//  MODULE: rcon.lua         //
//  MODULE: teleport.lua     //
//  MODULE: user.lua         //
//  MODULE: userhelp.lua     //
//  MODULE: util.lua         //
//  MODULE: vote.lua         //
//  end.lua                  //
// Load Complete!            //
///////////////////////////////
Executing dedicated server config file server.cfg
Nav File is wrong or something (4)
Console: "H4XED BY DUMBO"
Console: "ELEPHANTS $ ALL"
Writing cfg/banned_user.cfg.


For interest of full disclosure, here's the unedited chat log between me and Willox in case you want to glean any additional information;
Quote from: Willox
Never tell your password to anyone.
Sunday, September 20, 2015
10:06 PM - [ULX]Stickly Man!: Hi- thanks for the message. What's up?
10:06 PM - Willox: it's a really obvious thing
10:07 PM - Willox: i'd ask a gmod dev to fix it actually but like that'll happen
10:07 PM - Willox: clients can upload to download/data/x.txt
10:07 PM - Willox: download/ is in the GAME path (checked after garrysmod/)
10:07 PM - Willox: you can upload map configs
10:07 PM - Willox: at first glance the config loading appears to _not_ check the GAME path, but it does
10:08 PM - Willox: those configs can contain like ulx lua commands
10:08 PM - Willox: so you could have a backdoor in there or something
10:09 PM - Willox: let me find the line
10:10 PM - Willox: it's probably ULib.fileRead
10:10 PM - Willox: https://github.com/Nayruden/Ulysses/blob/26eaedb4e9ba830a92842b545b16e283e2cb6bb5/ulib/lua/ulib/shared/util.lua#L62-L64
10:10 PM - Willox: there it is
10:15 PM - [ULX]Stickly Man!: Hmm, makes sense. I'll have a crack at it and test it myself
10:16 PM - [ULX]Stickly Man!: I'd like to check with Megiddo to make sure a quick fix I make doesn't break anything, but we'll likely be able to have a fix by tomorrow at the latest
10:16 PM - [ULX]Stickly Man!: Good catch, thanks for letting us know!
10:16 PM - Willox: it's a little too simple
10:16 PM - Willox: i assume it's been abused before
10:17 PM - [ULX]Stickly Man!: agreed
10:17 PM - [ULX]Stickly Man!: There are likely many little things like this that lurk in our code, I'm afraid.
10:17 PM - [ULX]Stickly Man!: Free time has not been kind to Megiddo or I as of late lol
10:17 PM - [ULX]Stickly Man!: It's rather hard to keep up with these things
10:18 PM - Willox: I wonder how many other addons are affected
10:19 PM - [ULX]Stickly Man!: that is a good question
10:51 PM - [ULX]Stickly Man!: Just wanted to make sure I'm understanding you correctly-
10:51 PM - [ULX]Stickly Man!: clients are able to upload any? (or just txt) files to the server's download folder
10:51 PM - [ULX]Stickly Man!: which means they could create a \download\data\ulx\gamemodes\sandbox\config.txt file
10:52 PM - [ULX]Stickly Man!: the contents of which would be run on the server console each map load on a sandbox map
10:52 PM - Willox: any => many
10:52 PM - Willox: they can't upload certain extensions
10:52 PM - Willox: but yes
10:52 PM - [ULX]Stickly Man!: but .txt is included
10:52 PM - [ULX]Stickly Man!: K
10:52 PM - [ULX]Stickly Man!: how does the file upload actually occur? is that with clientside lua or a console command or specially crafted network requests?
10:53 PM - Willox: specially crafted stuff
10:53 PM - [ULX]Stickly Man!: (that's more for my curiousity- we're a bit out of the loop lol)
10:53 PM - Willox: there are modules released that let you do it
10:53 PM - Willox: aka a leaked version of my own module
10:53 PM - Willox: or sourcenet
10:53 PM - [ULX]Stickly Man!: K, that's all I need to know
10:53 PM - [ULX]Stickly Man!: thanks very much for letting me know :)
10:54 PM - [ULX]Stickly Man!: I've confirmed the issue, and I doubt I'll be able to get a fix out tonight, but I will be getting a hold of Megiddo and we'll patch it soon
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX Exploit involving client uploaded files
« Reply #1 on: September 21, 2015, 04:12:18 am »
Argh, okay. Probably the best fix would be to not execute if the file is also present  in the download folder. Will look into it more tonight. Thanks, Stickly.
Experiencing God's grace one day at a time.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: ULX Exploit involving client uploaded files
« Reply #2 on: September 27, 2015, 08:31:50 am »
Okay, it should be fixed. There are still some holes involving the main config -- if someone were to delete the main config in garrysmod/data/ulx/config.txt, would it load ULX's config first or from the download? I'm not sure, but I'm not sure this is a huge concern, either. If a malicious actor is able to delete the main config, they probably don't need to bother with downloaded configs at all.
Experiencing God's grace one day at a time.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: ULX Exploit involving client uploaded files
« Reply #3 on: September 27, 2015, 03:01:12 pm »
Yet way 100000000001 that sv_allowuploads can be exploited.
I don't care how many people argue 'but feature <x>/sprays are cool to share with everyone'
It's been abused more than it is useful.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2727
  • Karma: 430
    • |G4P| Gman4President
Re: ULX Exploit involving client uploaded files
« Reply #4 on: September 27, 2015, 04:42:49 pm »
It's been abused more than it is useful.
I've always had sprays (sv_allowupload) turned off on my server.. and would you know. I've never had any issues with 'hackers'.

  • Print