8:27 PM - Willox: It's possible you know that players can join a server with another player's SteamID
8:28 PM - Willox: shortly to be kicked by failure to authenticate
8:28 PM - Willox: i haven't got an implementation of it, but it IS possible and intended behaviour
8:28 PM - Willox: so i can only tell you this is a possible issue
8:29 PM - Willox: but ULX doesn't check if a player has been authenticated by Steam
8:29 PM - Willox: and i don't know the side effects of adding that check :v
8:29 PM - Willox: http://wiki.garrysmod.com/page/Player/IsFullyAuthenticated
8:29 PM - Willox: the best I am able to personally do is begin joining a server with another player's steam ID
8:29 PM - Willox: i never finished my client any further, but I'm sure this could be an issue
8:30 PM - Willox: even garry's mod's default usergroup stuff uses this function
8:30 PM - Willox: https://github.com/garrynewman/garrysmod/blob/3e138636eb1b0ad6ed785dedf350020755cff5f1/garrysmod/lua/includes/extensions/player_auth.lua#L95
8:31 PM - Willox: That description came out like <censor>
8:32 PM - Willox: tl;dr: no admin mods check if a player has been authenticated by steam, that's bad
8:32 PM - [ULX]Stickly Man!: lol, it's all good- I'm half unpacking right now
8:32 PM - [ULX]Stickly Man!: yeah, this seems like a possible issue- better to be safe than sorry
8:32 PM - Willox: SourceMod does the check
8:33 PM - Willox: The result of IsFullyAuthenticated is subject to change until it is true
8:32 PM - [ULX]Stickly Man!: I'm not familiar with the function itself, and I don't know if Megiddo knows about it either
8:33 PM - Willox: so you'll need to poll until it is true I imagine
8:33 PM - [ULX]Stickly Man!: the function could have been added long after we got ULX3 all finalized
8:33 PM - Willox: yes
8:33 PM - Willox: you might be right
8:34 PM - Willox: I put quite a lot of work in to Steam's authentication cookies
8:34 PM - Willox: It uses RSA and there's two levels of authentication
8:34 PM - Willox: First srcds will check it has been signed by valve (this means to spoof somebody you need to steal their cookie once) and that it has not expired (it takes a few days)
8:34 PM - Willox: then srcds waits for the steam api to say that the player's connection was valid
8:34 PM - Willox: the first check is done on join and is the not-quite-secure part
8:34 PM - Willox: the other could happen like 30s after join
8:35 PM - Willox: the cookie is networked to the server so to steal it they just have to join your own server that is set up to dump them
8:35 PM - Willox: they = victim
8:35 PM - [ULX]Stickly Man!: hmm, very interesting
8:35 PM - [ULX]Stickly Man!: I'll run it by Megiddo- the ULX initialization process is a bit sketchy, throwing this in might cause some troubles. If anything, a simple fix might be to add that check each time a command is run. So, this rouge client in question may be given superadmin access, but they wouldn't be able to run any commands.
8:35 PM - Willox: that's my worry
8:36 PM - Willox: "a simple fix might be to add that check each time a command is run" is something i considered too
8:36 PM - Willox: this sort of abuse is pretty <censor> rare
8:36 PM - Willox: i know authentication in gmod has been abused before
8:36 PM - [ULX]Stickly Man!: agreed
8:36 PM - Willox: but ulx - as popular as it is - obviously is target #1
8:36 PM - [ULX]Stickly Man!: Yeah, I can't think of any confirmed cases of something like this happening, but.. we do get occasional reports of gained access that we tend to blame on other third-party addons
8:37 PM - Willox: it's not possible to generate a steam cookie from somebody with just their steamid luckily
8:37 PM - Willox: it's really secure encryption, but once somebody joins your server: you have the cookie
8:37 PM - [ULX]Stickly Man!: Does the cookie expire after some time?
8:38 PM - Willox: i've had them last up to a week
8:38 PM - Willox: it'll only get you in to the server
8:38 PM - Willox: it won't bypass steam auth
8:39 PM - Willox: it uses RSA signature verification
8:39 PM - Willox: so when you first connect, SRCDS will just ensure that valve have actually signed the cookie you supply
8:39 PM - Willox: and if so it'll go along happily with the SteamID associated with it
8:39 PM - Willox: all details that aren't so important
8:40 PM - Willox: but if you are interested http://pastebin.com/raw.php?i=RQj6wRK0
8:41 PM - Willox: if something is marked not important, it means it's just encrypted data
8:41 PM - Willox: fun for the family
8:43 PM - [ULX]Stickly Man!: heh, nice
8:43 PM - Willox: i lost where i managed to actually reverse most of the code that parsed the cookie
8:43 PM - [ULX]Stickly Man!: interesting stuff- Megiddo will likely dig deep into that, that's his area of expertise
8:44 PM - Willox: there's interesting stuff in there, certain SteamIDs bypass certain auth checks
8:44 PM - Willox: maybe for gameservers or something
8:44 PM - Willox: if you managed to sign a cookie that was for a gameserver you'd probably confuse a few people
8:44 PM - [ULX]Stickly Man!: haha
8:45 PM - [ULX]Stickly Man!: neat :) Yeah, I'll write up a thingy for Megiddo to look at
8:45 PM - [ULX]Stickly Man!: if we do the easy route, we could probably have that implemented in the next couple days
8:45 PM - [ULX]Stickly Man!: thanks for bringing these things to our attention- we do appreciate it :)
8:46 PM - Willox: A look at the half-lfie mailing list tell me authentication often takes 30s to 2m
8:46 PM - Willox: chances are that'll happen while loading when it comes to gmod :V