• Print

Author Topic: Theoretical exploit / Hook Library stuff  (Read 44 times)

0 Members and 1 Guest are viewing this topic.

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Theoretical exploit / Hook Library stuff
« on: December 05, 2015, 11:37:40 pm »
Woah, it's a double topic forum post! Why? I'm not sure.. I just don't really feel like making two threads.

So, I've recently got in touch with Willox and chatted with him for a bit. For those of you who don't know him, he's a fairly "prominent" member of the community:
He's frequently involved with GMod issue tracker
He's made many pull requests to fix bugs and exploits
He found this exploit for us
And he's found numerous more exploits in Gmod, Source Engine, etc. (Disclaimer: He's the one behind the 'Vinh'll fix it' worm from a few years back.)

Anyways, he spends his time finding lots of exploits for fun. He found a potential exploit that has not yet been abused, but he feels it may likely that it can be abused. The tl;dr version of it is that players can join a server, faking which SteamID they are. The server will authenticate the user with Valve's servers, which will fail- but the process takes some time. Thus, there may be a small chance that a user could join a server under an admin's SteamID, and run a few commands (like giving their SteamID full access) before getting booted.

Luckily, we can call Player:IsFullyAuthenticated() to see if the user has been auth'd with Valve's servers. This process may take up to a minute or two, supposedly. We could add this check through ULX's initialization process (would likely be hairy), or we could check this each time a command is run (quicker, likely better option). This way we could ensure commands can only be run by fully authorized users.

However, this may have some downsides. What if the steam auth servers go down? What about singleplayer or listen servers? I don't know if there are cases where the auth check may fail/never work, which would then prevent ULX from working. We could create a class of "privileged" commands (user management, ban commands, etc.) that can be only run on authenticated users, but other commands like slap can be used whenever.

Here's the relevant chatlog for this exploit, I recommend reading it to get all of the important details:
Code: Text
  1. 8:27 PM - Willox: It's possible you know that players can join a server with another player's SteamID
  2. 8:28 PM - Willox: shortly to be kicked by failure to authenticate
  3. 8:28 PM - Willox: i haven't got an implementation of it, but it IS possible and intended behaviour
  4. 8:28 PM - Willox: so i can only tell you this is a possible issue
  5. 8:29 PM - Willox: but ULX doesn't check if a player has been authenticated by Steam
  6. 8:29 PM - Willox: and i don't know the side effects of adding that check :v
  7. 8:29 PM - Willox: http://wiki.garrysmod.com/page/Player/IsFullyAuthenticated
  8. 8:29 PM - Willox: the best I am able to personally do is begin joining a server with another player's steam ID
  9. 8:29 PM - Willox: i never finished my client any further, but I'm sure this could be an issue
  10. 8:30 PM - Willox: even garry's mod's default usergroup stuff uses this function
  11. 8:30 PM - Willox: https://github.com/garrynewman/garrysmod/blob/3e138636eb1b0ad6ed785dedf350020755cff5f1/garrysmod/lua/includes/extensions/player_auth.lua#L95
  12. 8:31 PM - Willox: That description came out like <censor>
  13. 8:32 PM - Willox: tl;dr: no admin mods check if a player has been authenticated by steam, that's bad
  14. 8:32 PM - [ULX]Stickly Man!: lol, it's all good- I'm half unpacking right now
  15. 8:32 PM - [ULX]Stickly Man!: yeah, this seems like a possible issue- better to be safe than sorry
  16. 8:32 PM - Willox: SourceMod does the check
  17. 8:33 PM - Willox: The result of IsFullyAuthenticated is subject to change until it is true
  18. 8:32 PM - [ULX]Stickly Man!: I'm not familiar with the function itself, and I don't know if Megiddo knows about it either
  19. 8:33 PM - Willox: so you'll need to poll until it is true I imagine
  20. 8:33 PM - [ULX]Stickly Man!: the function could have been added long after we got ULX3 all finalized
  21. 8:33 PM - Willox: yes
  22. 8:33 PM - Willox: you might be right
  23. 8:34 PM - Willox: I put quite a lot of work in to Steam's authentication cookies
  24. 8:34 PM - Willox: It uses RSA and there's two levels of authentication
  25. 8:34 PM - Willox: First srcds will check it has been signed by valve (this means to spoof somebody you need to steal their cookie once) and that it has not expired (it takes a few days)
  26. 8:34 PM - Willox: then srcds waits for the steam api to say that the player's connection was valid
  27. 8:34 PM - Willox: the first check is done on join and is the not-quite-secure part
  28. 8:34 PM - Willox: the other could happen like 30s after join
  29. 8:35 PM - Willox: the cookie is networked to the server so to steal it they just have to join your own server that is set up to dump them
  30. 8:35 PM - Willox: they = victim
  31. 8:35 PM - [ULX]Stickly Man!: hmm, very interesting
  32. 8:35 PM - [ULX]Stickly Man!: I'll run it by Megiddo- the ULX initialization process is a bit sketchy, throwing this in might cause some troubles. If anything, a simple fix might be to add that check each time a command is run. So, this rouge client in question may be given superadmin access, but they wouldn't be able to run any commands.
  33. 8:35 PM - Willox: that's my worry
  34. 8:36 PM - Willox: "a simple fix might be to add that check each time a command is run" is something i considered too
  35. 8:36 PM - Willox: this sort of abuse is pretty <censor> rare
  36. 8:36 PM - Willox: i know authentication in gmod has been abused before
  37. 8:36 PM - [ULX]Stickly Man!: agreed
  38. 8:36 PM - Willox: but ulx - as popular as it is - obviously is target #1
  39. 8:36 PM - [ULX]Stickly Man!: Yeah, I can't think of any confirmed cases of something like this happening, but.. we do get occasional reports of gained access that we tend to blame on other third-party addons
  40. 8:37 PM - Willox: it's not possible to generate a steam cookie from somebody with just their steamid luckily
  41. 8:37 PM - Willox: it's really secure encryption, but once somebody joins your server: you have the cookie
  42. 8:37 PM - [ULX]Stickly Man!: Does the cookie expire after some time?
  43. 8:38 PM - Willox: i've had them last up to a week
  44. 8:38 PM - Willox: it'll only get you in to the server
  45. 8:38 PM - Willox: it won't bypass steam auth
  46. 8:39 PM - Willox: it uses RSA signature verification
  47. 8:39 PM - Willox: so when you first connect, SRCDS will just ensure that valve have actually signed the cookie you supply
  48. 8:39 PM - Willox: and if so it'll go along happily with the SteamID associated with it
  49. 8:39 PM - Willox: all details that aren't so important
  50. 8:40 PM - Willox: but if you are interested http://pastebin.com/raw.php?i=RQj6wRK0
  51. 8:41 PM - Willox: if something is marked not important, it means it's just encrypted data
  52. 8:41 PM - Willox: fun for the family
  53. 8:43 PM - [ULX]Stickly Man!: heh, nice
  54. 8:43 PM - Willox: i lost where i managed to actually reverse most of the code that parsed the cookie
  55. 8:43 PM - [ULX]Stickly Man!: interesting stuff- Megiddo will likely dig deep into that, that's his area of expertise
  56. 8:44 PM - Willox: there's interesting stuff in there, certain SteamIDs bypass certain auth checks
  57. 8:44 PM - Willox: maybe for gameservers or something
  58. 8:44 PM - Willox: if you managed to sign a cookie that was for a gameserver you'd probably confuse a few people
  59. 8:44 PM - [ULX]Stickly Man!: haha
  60. 8:45 PM - [ULX]Stickly Man!: neat :) Yeah, I'll write up a thingy for Megiddo to look at
  61. 8:45 PM - [ULX]Stickly Man!: if we do the easy route, we could probably have that implemented in the next couple days
  62. 8:45 PM - [ULX]Stickly Man!: thanks for bringing these things to our attention- we do appreciate it :)
  63. 8:46 PM - Willox: A look at the half-lfie mailing list tell me authentication often takes 30s to 2m
  64. 8:46 PM - Willox: chances are that'll happen while loading when it comes to gmod :V
  65.  


---------------------

Next, Willox has had a lot of experience with making pull requests for Gmod, and talking to FP staff about getting changes merged in. (See above links). I asked him what he thought about having our Hook Library as Gmod's default- and after mulling over the code, he thinks it may be a good idea. He had some suggestions for performance (something about upvalues and.. he made a quick diff: https://www.diffchecker.com/b72x7msg), but we didn't test if they actually improved performance. I couldn't link him to the issue tracker since it's now closed (is there any way we can get read-only access to those old issues?)

Anyways, I think we can work with Willox to drum up interest on this hook library thing. Megiddo, he said he'd like to talk to you about it, so if you want to add him on Steam and chat with him sometime soon, that would be neat:
http://steamcommunity.com/profiles/76561197998909316/

Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Theoretical exploit / Hook Library stuff
« Reply #1 on: December 06, 2015, 05:53:01 am »
Taking on hooks first...

The link in your post is dead. :(

I fairly carefully considered each upvalue and the location of each, as well as usage of globals. Some of the results surprised me, especially since GMod is using LuaJIT. That being said, I always hate gaming the compiler, as doing so usually results in context the compiler can use to optimize at a lower level. I'd definitely be interested to see what Willox has to say though.

I had actually forgotten that we requested to include the hook into GMod proper, and we were mostly ignored.

-------------

Re: security. Very interesting, especially given our conversation a few weeks ago regarding IsFullyAuthenticated(). From my recent experimenting, here's the order when someone joins:

"PlayerConnect" called as soon as the connection is made to the server
"PlayerInitialSpawn" called
In the next server tick after "PlayerInitialSpawn", the new player appears in player.GetAll()
2-3 second later, "PlayerAuth" is called

In my experiments, the player sometimes (but not always) flagged for IsFullyAuthenticated during "PlayerInitialSpawn". So, Garry's approach of ignoring the user's group if they are not flagged as "IsFullyAuthenticated" during "PlayerInitialSpawn" comes as a major surprise to me, since in my limited testing I saw that case occur.

I am not sure what "PlayerAuth" is intended to be used for, since it always seems to be called much later than expected. Maybe it's only guaranteed to be called sometime after the player becomes authenticated? Garry never uses "PlayerAuth" in his code. The only use of "IsFullyAuthenticated" is in the code you linked to, and a terrortown karma system (huh?).

ULX has always had some issues bootstrapping clients and their authentication. Garry's many changes to client initialization over the years have not been kind to us. I'm tempted to put this off to ULX4 and centralize our initialization/bootstrapping there so future GMod changes can be handled more gracefully. However, this potential exploit does concern me... If we make the assumption that a user's SteamID cannot change after "PlayerInitialSpawn" (that they'll be kicked if they're using a stolen cookie), we might be able to get away with a check in our command router or ucl.query. That is, if they're not fully authenticated when they try to do something requiring permissions, they will be denied regardless of what access we believe they have. Unfortunately, I hate making changes we are unable to test.
Experiencing God's grace one day at a time.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Theoretical exploit / Hook Library stuff
« Reply #2 on: December 06, 2015, 06:08:59 am »
As an aside, Steam's setup with the authentication cookies sounds similar to Kerberos. This approach works fairly well for what Steam is trying to accomplish. Surprised they aren't using any of the well-known techniques to prevent a man in the middle attack (like nonces).

An interesting discussion that might be related -- https://facepunch.com/showthread.php?t=1190676 and http://www.unknowncheats.me/forum/general-programming-and-reversing/121905-fake-steam-id-changing-stealing.html
Experiencing God's grace one day at a time.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Theoretical exploit / Hook Library stuff
« Reply #3 on: December 06, 2015, 03:26:22 pm »
RE: Privileged commands -
With Stickly's description of potential authorization delay and adding the actual check to commands, I was already thinking "not all, but definitely those that matter (cexec, rcon, addgroup, adduser, ban, etc)"
Then he went there in his description few moments after I was thinking it.

Overall, I agree we put off large change / security improvement until ULX4.
I do recommend we increase ULib/ULX current security now too though using privileged commands.
Console/single player would have normal access.
If a ded server can't talk to steam auth (because, steam auth is down, as been known to happen), admins would need console access to make major changes.
That might be inconvenient, but as is often the case, security usually affects convenience.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Theoretical exploit / Hook Library stuff
« Reply #4 on: December 06, 2015, 05:38:08 pm »
Re: Hook stuff

Ah, yeah, the diff was working fine when I linked it- didn't see an expiration on it. Willox has been playing around with some more optimizations as of late and seems to be getting some improvements (are they worth it? not quite sure). He's also tempted to get everything compiling straight to luaJIT by removing varargs and pairs, but honestly, a lot of this stuff goes over my head and I think you should have a nice chat with him Megiddo. :P  (He is rather chatty)

He has also already talked to Rubat (Robotboy) about the hook inclusion. Supposedly, he likes the performance improvements and the read-only levels (HOOK_MONITOR_HIGH and HOOK_MONITOR_LOW), but he's still not a fan of the -1 and 1 priority levels. Perhaps we should provide a specific case or scenario where having the hook priorities would be useful? We might be able to argue our point- if not, we may have to live with a more narrow version of our hook system.


Re: Security

Again, this is all pretty theoretical. Willox has very good knowledge of the Steam API process (he's dived into it quite a bit). I'm okay with holding off till ULX4, but I would highly recommend chatting directly with him rather than having me as the middleman- Some of this stuff still goes over my head haha :P  I could post our entire chatlog if you're interested, but it is a bit lengthy.

I do like the "privileged commands" idea. It's fairly simple to implement, doesn't require changes to initialization, and even if it's not needed, it is an extra layer of security. (Except the whole "what if the auth servers are down scenario". Perhaps an override that can be set via a file?)

That stuff about "Serenity" is pretty interesting. This exploit has been around a while, but with the cookie authentication and recent patches, it's much harder to pull off. This is Willox claiming that this is theoretically possible, but he has discovered numerous exploits in the past by just poking around.

Hmm, I'll just post the full chat logs if you guys are interested. I asked him (on a whim) if he'd be interested in helping out with ULX, but he seems to prefer sticking to hunting exploits and stuff that bugs him:
https://dl.dropboxusercontent.com/u/3804211/willox-12-5.txt
https://dl.dropboxusercontent.com/u/3804211/willox-12-6.txt
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Theoretical exploit / Hook Library stuff
« Reply #5 on: December 13, 2015, 03:39:52 pm »
Okay, we'll have to do something about this -- https://facepunch.com/showthread.php?t=1497392
Experiencing God's grace one day at a time.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Theoretical exploit / Hook Library stuff
« Reply #6 on: December 13, 2015, 08:19:57 pm »
So what are our options?
1) Strict - refuse all unauthenticated connections to server - causing mass issue if Steam auth servers go down (Christmas holidays are coming up, never know what could happen)
2) Semi-Strict - allow connections, but deny all ULib functionality
3) Privileged - allow connection, block usage/force authentication for usermanagement/rcon/cexec commands/etc
Add all 3, and allow the above to be chosen by server owner?
#2 and #3 can still allow for major abuse if the script kiddie knows what they're doing re: console
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Theoretical exploit / Hook Library stuff
« Reply #7 on: December 14, 2015, 07:18:03 am »
Looks like they might be implementing a fix in gmod itself?

https://facepunch.com/showthread.php?t=1497392&p=49311134&viewfull=1#post49311134

No real specifics yet though, I'll keep an eye out.
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Theoretical exploit / Hook Library stuff
« Reply #8 on: January 05, 2016, 01:46:13 pm »
Just got word that Player:IsFullyAuthenticated() is now pretty much useless since Gmod does the checks for us. So, I guess this exploit is beyond our scope for now, although people are somehow able to spoof Garry's SteamID for that acheivement.

Also, Megiddo, should we discuss hook library stuff soon? AFAIK, the only reason Rubat would not add our hook system is because of the HOOK_HIGH and HOOK_LOW priorities- He likes the read only hooks (HOOK_MONITOR_HIGH, HOOK_MONITOR_LOW) just fine. Once we come to a compromise, it sounds like we'll have a good push to get this hook library on there.
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
Re: Theoretical exploit / Hook Library stuff
« Reply #9 on: January 08, 2016, 11:22:30 pm »
One more informative post!

I just found out that Willox has been made an official full-time member of Facepunch, so he will be very active in Gmod's development, fixing bugs, etc. So, if you guys have any suggestions.. I can let him know. :P (I won't pester him, of course lol)
https://github.com/orgs/Facepunch/people
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6

  • Print