Closed FPtje closed 7 years ago
Definitely something we'll be addressing, thank you for the report. We continuously caution users to be more careful about what they install on their servers, but we certainly don't want to be a pathway for persistence for an admin's poor choices.
Thanks!
Fixed, closing.
Apparently this is enough of a problem for someone to release a "hotfix" for it on the DarkRP forums:
http://forum.darkrp.com/threads/ulx-ulib-exploit-fix.9250
The gist of the problem is as follows: ULib simply executes all lines that don't start with
exec
usinggame.ConsoleCommand
. (See here). Combined withulx luarun
. For malicious addons and superadmins, this is a beautiful feature of persistency for when the addon is uninstalled and the superadmin is demoted.Reproducing steps
Addon case:
ulx luarun
with aRunString
and ahttp.Fetch
in the ULX configSuperadmin case:
Now of course all the server owners should have full programming knowledge to debug their problems, know by some force of magic to look into ULib's config files, and they shouldn't make people superadmin if turn out to be non-trustworthy in hindsight. My point is simple:
Config files shouldn't just be read and executed like they're command macros or even Lua files. The fact that they are is being abused.
Solution
With full backwards compatibility, of course.
It looks like
ULib.execFile
was originially just designed for files incfg/
, which neither superadmins nor malicious addons can write to. The mistake is to use it for ULX' main config,data/ulx/config.txt
and its map and gamemode counterparts. Oddly, it appears to be the only file that you execute that way. All other config files seem to be already interpreted normally.The solution is simple: make a different function for that which just interprets whitelisted commands. Preferably no
ulx adduser
orulx luarun
. I'd recommend a whitelist because other addons also have persistent concommands (add money to SteamID, pointshop points probably, etc.)