Author Topic: Support_AdminEvents.cs Eval Vulnerability (Read 1451 times)

Scout31 · July 01, 2015, 12:32:17 PM

Someone uploaded an add-on containing the common library Support_AdminEvents.cs in it to BLG. The system automatically picked up an Eval command, and while looking at it, I saw it had a large vulnerability. Discussion with the author revealed that this is widely used.

The code of issue is as follows:

Code: [Select]

function serverCmdAddEvent(%client, %delay, %input, %target, %a, %b, %output, %par1, %par2, %par3, %par4)
	{
		//Define aLevel based on whether the client is host, super admin, admin, or none
		if(%client.bl_id == getNumKeyID())
			%aLevel = 3;
		else if(%client.isSuperAdmin)
			%aLevel = 2;
		else if(%client.isAdmin)
			%aLevel = 1;
		else
			%aLevel = 0;

		//Get more information about what event the client chose
		%class = getWord(getField($InputEvent_TargetListfxDTSBrick_[%input],%a),1);
		eval("%name = $OutputEvent_Name" @ %class @ "_" @ %output @ ";");
		%reqLevel = $AdminOutputEvent[%class,%name];
		
		//Does the client have sufficient priviledges to use this event?
		if(%reqLevel &rt; %aLevel)
			messageClient(%client,'','You do not have a sufficient admin level to use the event %1::%2. It has been removed from your brick.',%class,%name);
		else
			Parent::serverCmdAddEvent(%client, %delay, %input, %target, %a, %b, %output, %par1, %par2, %par3, %par4);
	}

As you can see, %output is completely exposed. For example:

/addEvent delay input target a b output;quit()

Would turn in to %name = $OutputEvent_NameSomeClass_output;quit();, which would obviously shut down the server.

Scripters, please review your add-ons. You can replace the entire line of the eval with the following:

%name = $OutputEvent_Name[%class @ "_" @ %output];

Ad Bot · Advertisement

-Setro- · July 01, 2015, 01:01:00 PM

I tested /addEvent delay input target a b output;talk("yo") out on my server and nothing happened, even with me having the vulnerability.

Gytyyhgfffff · July 01, 2015, 01:04:11 PM

a lot of servers are vulnerable to this, i srsly think this add-on should be fail-binned because nobody will update

Ipquarx · July 01, 2015, 01:05:04 PM

Quote from: -Setro- on July 01, 2015, 01:01:00 PM

I tested /addEvent delay input target a b output;talk("yo") out on my server and nothing happened, even with me having the vulnerability.

Be thankful I guess? You could have another addon overwriting it with a safe version of the command.

Quote from: Gytyyhgfffff on July 01, 2015, 01:04:11 PM

a lot of servers are vulnerable to this, i srsly think this add-on should be fail-binned because nobody will update

The problem is it's not a full addon, it's just a cs file that's in a lot of addons. Badspot can't CRC-fail individual files, only full addons. I already gave him 3 addons that have the vulnerability to CRC ban which will hopefully be done soon.

-Setro- · July 01, 2015, 01:40:24 PM

I figured out the issue, you can't use whitespaces in the hacky console command.

Zeblote · July 02, 2015, 06:51:29 AM

Quote from: Ipquarx on July 01, 2015, 01:05:04 PM

Badspot can't CRC-fail individual files, only full addons.

He can just add a check to the exec function to prevent a file with this CRC from being executed?