search

rezecib / Global-Positions

A mod for Don't Starve Together that adds various ways to find your friends (or spot your enemies).
18 stars 4 forks source link

Players can spawn in any item/mob and crash the server #13

Closed Antonio32A closed 7 months ago

Antonio32A commented 1 year ago

The defined RPC handler for the RPC Ping does not do any input sanitalization which allow users to do some pretty bad things with it. It is defined in modmain.lua as shown below: https://github.com/rezecib/Global-Positions/blob/82c6e4480c06b0223487851aa8555bba3da1b8fd/modmain.lua#L595-L623

The first issue is that users can specify nil as any of the arguments or just random data, e.g. if a malicious actor specifies hi as a pingtype as so:

SendModRPCToServer(MOD_RPC["workshop-378160973"]["Ping"], "hi", ThePlayer.Transform:GetWorldPosition())

Causes the server to crash because ping (line 617) is nil.

The second and the much worse issue is that players can just spawn in ANY prefab (mob, item, etc). GLOBAL.SpawnPrefab is defined as so:

function SpawnPrefab(name, skin, skin_id, creator)
    name = string.sub(name, string.find(name, "[^/]*$"))
    name = renames[name] or name
    if skin and not IsItemId(skin) then
        print("Unknown skin", skin)
        skin = nil
    end
    local guid = TheSim:SpawnPrefab(name, skin, skin_id, creator)
    return Ents[guid]
end

The problem comes from the first line in the function, where regex is used to trim the prefab being spawned. Malicious players can send a ping with the pingtype of /deerclops using this console command:

SendModRPCToServer(MOD_RPC["workshop-378160973"]["Ping"], "/deerclops", ThePlayer.Transform:GetWorldPosition())

This will result in SpawnPrefab being called with the argument ping_/deerclops, but that'll actually get trimmed into deerclops, resulting in the actual deerclops boss being spawned at their feet. This works with any item, mob, any prefab!

According to git blame this has been an issue for the past 7 years, and since I've never seen this publicly abused, there's a decent chance I'm the first one to discover this. To reduce the impact of this I have contacted the author over email over 2 weeks ago, but sadly they have not responded. I have also written a fix which will shortly be PR-ed to this repository. On top of that, I have additionally written a mod which fixes this exact issue and gotten several popular servers to run it to reduce impact even further. You can find the mod here: https://github.com/Antonio32A/RPC-Patcher

Antonio32A commented 1 year ago

Here's a youtube video of me reproducing this on a servers which I don't host (Meow Together). /spawn was used as an alias to not have to use the annoying console. https://www.youtube.com/watch?v=KDTfssUovHg

Antonio32A commented 1 year ago

Also forgot to mention, both of these issues can be prevented by disabling pings.