Author Topic: Security Notice: Support_AdminEvents insecure (Read 3632 times)

Greek2me · June 28, 2015, 03:10:45 PM

Support_AdminEvents.cs contains a security vulnerability.
-removed-

Ad Bot · Advertisement

Headcrab Zombie · June 28, 2015, 03:21:17 PM

....Where did you even get this?
The version found in Event_EnvControl (the only add-on I've made using this, download available here if you wish to check) has the following:

Quote

function serverCmdAddEvent(%client, %delay, %input, %target, %a, %b, %output, %par1, %par2, %par3, %par4)
   {
      //Define aLevel based on whether the client is host, super admin, admin, or none
      if(%client.bl_id == getNumKeyID())
         %aLevel = 3;
      else if(%client.isSuperAdmin)
         %aLevel = 2;
      else if(%client.isAdmin)
         %aLevel = 1;
      else
         %aLevel = 0;

      //Get more information about what event the client chose
      %class = getWord(getField($InputEvent_TargetListfxDTSBrick_[%input],%a),1);
      %name = $OutputEvent_Name[%class, %output];
      %reqLevel = getWord($AdminOutputEvent[%class,%name],0);

      //Does the client have sufficient priviledges to use this event?
      if(%reqLevel > %aLevel)
         messageClient(%client,'','You do not have a sufficient admin level to use the event %1::%2. It has been removed from your brick. Type \c2/restrictedEvents \c0for more info',%class,%name);
      else
         Parent::serverCmdAddEvent(%client, %delay, %input, %target, %a, %b, %output, %par1, %par2, %par3, %par4);
   }

Greek2me · June 28, 2015, 03:22:17 PM

I was reviewing an add-on for BLG and it was in there: http://forum.blockland.us/index.php?topic=278850.0

Headcrab Zombie · June 28, 2015, 03:28:07 PM

Well definitely deny it then. I don't know where this came from, but tell the add-on dev to get the version from me.

For now, since the problem is solved (as far as I have control over), perhaps you could remove the vulnerability exposition, so anyone with unscrupulous interests can't find it an exploit iadd-ons using this version?

Greek2me · June 28, 2015, 03:32:37 PM

Sure. The reason I posted it here is because I assumed multiple people are using that version in their mods.

Greek2me · July 01, 2015, 04:55:02 PM

Lesson learned after the server spam today: I should have disclosed this more discreetly. My bad.

Jeetlor2 · July 01, 2015, 06:53:36 PM

Quote from: Greek2me on July 01, 2015, 04:55:02 PM

Lesson learned after the server spam today: I should have disclosed this more discreetly. My bad.

Dann Greek, some people got revoked cause of you

Haha just kidding. I got unrevoked. But yeah be more discreet next time xD

phflack · July 02, 2015, 12:43:12 AM

also, about the whole being discrete part
I was thinking of making a way to fix this by joining servers and testing if they had the exploit, and then if they did using eval to overwrite a portion of the addon to remove the exploit

it might be better than posting about it, but at the same time, not sure if it's a good idea to be doing something like that behind the host's back

jes00 · July 02, 2015, 07:20:20 AM

Quote from: phflack on July 02, 2015, 12:43:12 AM

also, about the whole being discrete part
I was thinking of making a way to fix this by joining servers and testing if they had the exploit, and then if they did using eval to overwrite a portion of the addon to remove the exploit

it might be better than posting about it, but at the same time, not sure if it's a good idea to be doing something like that behind the host's back

Badspot already CRC'ed it.

phflack · July 02, 2015, 09:52:17 AM

I was saying for the future
I kind of figured it was a bit late when the exploit started being abused on a larger scale

Headcrab Zombie · July 02, 2015, 10:46:00 AM

It's not a good idea to go behind the host's back like that, regardless of intentions.
Plus, it wouldn't fix the root problem: that the add-on was available for download