Security Exploit in UAIO Binary
 

It has recently come to our attention that there is an exploited copy of the "UAIO" (Ultimate All-In-One) Plugin being distributed in the wild. It is a special build of UAIO that does not match the original source code, and has been hand-crafted such that any user knowing a secret command can become an administrator.

This incident involves a malicious copy of UAIO that has a secret backdoor. UAIO and AMX Mod X are otherwise normally secure.

In order to protect our users we have released a tool to check your copy of UAIO:

http://www.amxmodx.org/uaio_check.cgi

Simply upload your uaio_admin.amxx file and it will tell you whether it has the exploit. Game Service Providers (GSPs) should check their client's installations.

UPDATE: We have traced this issue to the original UAIO author Robert J. Secord ("xeroblood," "SystemWisdom"), who had been distributing malicious binaries, probably so he could backdoor any server using his plugin. UAIO is currently maintained by Xanimos and thus its binaries are now safe! However, if you find any other software distributed by this person, I would think twice before using it. He clearly cannot be trusted.

This type of abuse is beyond unscrupulous. Under no circumstances is it ever acceptable to post exploited or backdoored binaries on our forums.

Additionally, we have collected a Steam ID of someone that has been using this exploit in the wild. I'm listing them and server operators in the community can decide if they want to blacklist them or not:
If you have further questions, please do not hesitate to post them here. Obviously, if you post the actual exploit here, or publicly post any copies of the infected binary, you will be permanently banned.

I would like to thank sawce for finding the exploit, which was no easy task. I would also like to thank Roach who kept this issue alive despite naysaying from yours truly.

Thanks for your support.

Re: Security Exploit in UAIO Binary
 

Oh my god.

Re: Security Exploit in UAIO Binary
 

Oh, you're right. :shock:


I've searched for an old copy on my computer and I've found one ( 1.51 ) ; [ created : friday 6 october 2006, 00:28:31 | Modified : friday, 15 september 2006, 14:30:25 ]

Into the package, the UIAO binary file ; [ created : friday 6 october 2006, 00:28:31 | Modified : sunday 19 august 2006, 01:50:09 ]


As far I remember, I've always downloaded the package from the original topic. ( not a big deal in my case since I'm used to always recompile plugin )

I don't get how the original package has been modified. -_-

Re: Security Exploit in UAIO Binary
 

The package on the site right now (v1.51 and 1.50) are fine and exploit free, as Bail stated. This will end up making a SLIGHT change in policy as far as closed source .amxx plugins go (for those who are closing off exploits in mods), but that will be announced later on.

We would ALL like to thank the server owners and admins who noticed this and sent us the logs and Steam-Id's of those who were exploiting this. Luckily, there were only a few VERY isolated issues of this that were reported. Giving us those logs and folders gave us the missing pieces of the puzzle that finally allowed sawce to have his ah-ha moment...after, of course, I accused him of screwing something up.

Also, if needed I'm a good character actor and I do parties, and can extract information as needed from people when requested. Please contact if you would like my services.

Re: Security Exploit in UAIO Binary
 

Hey roach, remember that time when you were all "hey its your fault fix it" and I was all like "liar" and you were all like "nuh uh fix it" and I was all like "no you fix it".

Yeah. Good times.

Re: Security Exploit in UAIO Binary
 

Finally found? Awesome awesome.

Good job.

Re: Security Exploit in UAIO Binary
 

And remember the time you were like, "It's your birthday?" and I was all like, "Yeah!" and you were like, "I'll send you money for a beer!" and you never did?

Yeah, bad times there. :(.

Re: Security Exploit in UAIO Binary
 

Congrats!

I would never have thought that this would happen, and not at all that xeroblood would do it :-O

Re: Security Exploit in UAIO Binary
 

Wow, thanks a lot for the information! Very interesting.

Re: Security Exploit in UAIO Binary
 

Would there be any way to check his other plugins? I use the rs_swearfilter written by xeroblood and I love the way it works. Can you set up a test for this file as well?

Re: Security Exploit in UAIO Binary
 

hey Bail, I sent you an email on this as well.

STEAM_0:1:20031 is an innocent bystander, he is one of my trusted admins and NOT a part of this nefarious scheme. I believe his ID was included as he was in the logs I sent in because my server was attacked using this exploit, . the intruder was trying to BAN this ID, mostly I believe due to the fact that he was the only other admin present while he was using his hijacked credentials.. please exonerate this individual as he is not guilty.

Thanks

sly

Re: Security Exploit in UAIO Binary
 

Gotcha...sorry for the confusion. The logins were one right after another, so we thought they ran in tandem.

Re: Security Exploit in UAIO Binary
 

wow, well i dont really use uaio anymore so im safe :P

Re: Security Exploit in UAIO Binary
 

heh....i was looking for some of those old, exploited UAIOs and I actually found one...that one was all the way back from August, 2006 and the version was 1.51 ( same as the current one....errrrg )...i would post a link to the site where I found it, but I fear admin rage

Re: Security Exploit in UAIO Binary
 

I can't believe it! that means this exploit has been circling for a while...and it was blood? I can't believe this. he is a good coder too... this is sad. gj guys on the find. ill +rep you all later. I'm on my pda.

Re: Security Exploit in UAIO Binary
 

Wow, hard stuff :shock:

Re: Security Exploit in UAIO Binary
 

I would then suggest PMing it to either Roach, Bail, or sawce. But, make sure that the subject line is detailed enough so that they know what it is before they delete it.



It is amazing what people will do to other servers. I always recompile the source code that I get from anywheres, of course, it is normally only from here anyways.

Re: Security Exploit in UAIO Binary
 

Good catch guys.

I only download my plugins from here !!! I don't think I got this from anywhere else.

This is really sad. All he had to do, imo, was ask me for admin on my servers and I prolly would have said sure.

Re: Security Exploit in UAIO Binary
 

Although this is kinda in the jerk category. I can't really blame him for doing that. He made I believe the most popular amxx plugin. I would have been tempted to do the same thing.

Re: Security Exploit in UAIO Binary
 

Wow, Good Job once again. Kinda crazy tho. Diddnt expect that from that particular individual, but then again its a community on the intranet and Not in person, so you can't get punched in the face.
Good thing Xanimos runs it now.

Re: Security Exploit in UAIO Binary
 

BAD: You have an exploited copy of UAIO. Download new copies of all UAIO .amxx files. You should post in the forum news thread that you encountered this incident.

I got this message :( I posted here because it told me to :wink:

Re: Security Exploit in UAIO Binary
 

Hey DSi!!! Its Robert.

Well, I can't really believe someone would do this! Good job guys for finding this! Its also a good thing I took UAIO off my server.

Re: Security Exploit in UAIO Binary
 

Well this actually explains ALOT.
I got my server hacked before...had UAIO on it too...I didn't keep it though...

But seriously....THANKS ALOT lol :mrgreen:

Re: Security Exploit in UAIO Binary
 

What about his other plugins?

Re: Security Exploit in UAIO Binary
 

His other plugins are clean. The only reason he was able to do it in UAIO was by pre-compiling the plugin with the exploit. And since none of his other plugins are pre-compiled, meaning only the .sma is uploaded, they are perfectly fine.

This report isn't meant to bash UAIO, it in its self is a good plugin and has no exploit. Just that the creator went a little far when he scripted a secret back door.

Re: Security Exploit in UAIO Binary
 

Wow, didn't see this coming...

Re: Security Exploit in UAIO Binary
 

Oh I see, he put a differnent AMXX file than the sma's AMXX file. :gyar:

Re: Security Exploit in UAIO Binary
 

What steps should we take besides replacing our UAIO. I will say I had someone appear to change maps on my server and I know I am the only admin. When I looked at my logs there was nothing about the map change till time ran out and all of a sudden something besides the only map on my rotation was there.

Re: Security Exploit in UAIO Binary
 

Make sure your users.ini (or SQL tables, if applicable) only contains entries you know about.

Re: Security Exploit in UAIO Binary
 

Also, if there is no amxmodx log about the map change it sounds like they had your rcon password. Could check hl logs to see if anyone else was on rcon at the time or just change your rcon password to be safe either way.

Re: Security Exploit in UAIO Binary
 

Rcon pw has been changed, I noticed this in my users.ini

"loopback" "" "abcdefghijklmnopqrstu" "de"

No steam ID just that, does that mean anyone with the name loopback could have admin or its just a dead line or does it come with the file originally.

Re: Security Exploit in UAIO Binary
 

It's a dead line that come with original amxmodx. It's an exemple.

Re: Security Exploit in UAIO Binary
 

loopback is not a name it is used only when you run a listen server... ie you start a server by choosing "new game" within your mod, where you are the server...

it's left there for convenience no one can use it unless they are the server.

Re: Security Exploit in UAIO Binary
 

ok thanks guys, i appreciate the help and the notice. I love the plug in and would have hated to quit using it. Is there any usability difference in the unexploited 1.51 and the exploited version.

Re: Security Exploit in UAIO Binary
 

No, no difference, just the lack of a backdoor.

Re: Security Exploit in UAIO Binary
 

I too have had two different people come into my server and get RCON control. The last password I had was a randomly generated 8 digit strong password, and the person didn't try any other passwords. Is there some other exploit (I am not using UAIO) out there that I need to be aware of?

The STEAM ID's of the two offending people were STEAM_0:1:12364937 and STEAM_0:0:98920 should any of you want to ban them proactively.

Re: Security Exploit in UAIO Binary
 

I think this is not the right place to name and shame other users. There is no solid proof that these are really the STEAM_ID's exept your words.

Re: Security Exploit in UAIO Binary
 

I'm just trying to get the word out that there is possibly some other exploit out there. Believe me or not, I could care less. Ban the two hackers or not, again, I could care less.

Re: Security Exploit in UAIO Binary
 

Corvette: If you would like me to do the same scan I did to check someone else's addons folder (which is the scan that found the UAIO backdoor), zip up and email your addons folder (minus any sensitive information such as passwords or sql information) to stevedude at gmail dot com - inlcude amxx somewhere in the subject if you do.

Re: Security Exploit in UAIO Binary
 

Interesting : STEAM_0:0:13428340 -> http://forums.alliedmods.net/showthr...979#post565979 -> http://steamcommunity.com/profiles/76561197987122408