[Vulnerability] Unrestricted loader.

alliedmodders / metamod-source

Metamod:Source - C++ Plugin Environment and Detour Library for the Source Engine

http://www.metamodsource.net/

Other

374 stars 83 forks source link

[Vulnerability] Unrestricted loader. #102

Closed RenardDev closed 1 year ago

RenardDev commented 1 year ago

If an attacker gains access to executing server commands, then he will be able to upload and execute the backdoor because MM:S does not have plugin loading restrictions factors like SourceMod.

PoC: https://github.com/RenardDev/DLangMMSPExploit

dvander commented 1 year ago

Thanks for the report. "meta load" should be changed to follow whatever extension restrictions plugin_load has.

I'm skeptical to call this an exploit as it requires enabling two things widely known to be exploitable. (1) rcon fundamentally is not secure, and should never be enabled. (2) sv_allowupload is notoriously problematic and probably deserves the same recommendation.

dvander commented 1 year ago

I uploaded a quick patch for this, but, to reinforce the "never enable rcon or sv_allowupload" point: plugin_load does no checks whatsoever that I can see, and we have no control over that.