Author Topic: ARSSE vulnerbility  (Read 15412 times)

0 Members and 1 Guest are viewing this topic.

Offline chrisgbk

  • Inactive Staff
  • Veteran
  • *****
  • Posts: 1739
ARSSE vulnerbility
« on: April 21, 2007, 09:47:30 pm »
A large vulnerbility with ARSSE has become known; if you use ARSSE, a hacker can cause your copy of ARSSE to execute arbitrary commands (most likely, said person will run /admip or /adm to give themselves admin access); said hacker can also cause your copy of ARSSE to freeze or crash, which not only prevents you from admining the server remotely, it will also most likely remove your clientside logs of anything happening. There is nothing you can change currently to prevent this from happening, so stop using ARSSE until KeFear fixes it.

1.4.0 will have some measures in place to prevent this, but at this time there won't be an update released to the dedicated server, because the exploit doesn't affect the server itself.

Offline EnEsCe

  • Retired Soldat Developer
  • Flamebow Warrior
  • ******
  • Posts: 3101
  • http://enesce.com/
    • [eC] Official Website
Re: ARSSE vulnerbility
« Reply #1 on: April 21, 2007, 09:48:55 pm »
Lazy developer needs to fix his software.

*cough* KeFear *cough*

On a side note: (Customers of my server hosting don't need to worry about this)
You can make an iptables rule to block this exploit on outgoing TCP packets to your server port.

Offline truup

  • Soldier
  • **
  • Posts: 243
Re: ARSSE vulnerbility
« Reply #2 on: April 22, 2007, 03:12:45 am »
What about original admin program?

Offline chrisgbk

  • Inactive Staff
  • Veteran
  • *****
  • Posts: 1739
Re: ARSSE vulnerbility
« Reply #3 on: April 22, 2007, 03:14:13 am »
Original admin program is unaffected, but that's not to say it doesn't have it's own issues.

Offline iDante

  • Veteran
  • *****
  • Posts: 1967
Re: ARSSE vulnerbility
« Reply #4 on: April 22, 2007, 03:21:23 am »
hackers... seems like so much time is spent keeping loosers from breaking the game that could be spent making the game better... I suppose its life though.

Offline truup

  • Soldier
  • **
  • Posts: 243
Re: ARSSE vulnerbility
« Reply #5 on: April 22, 2007, 03:24:03 am »
hackers... seems like so much time is spent keeping loosers from breaking the game that could be spent making the game better... I suppose its life though.
Well, they kinda make it better. They find the securityholes, and developers fix them. :}

Offline spkka

  • Camper
  • ***
  • Posts: 469
Re: ARSSE vulnerbility
« Reply #6 on: April 22, 2007, 08:13:53 am »
oh yes thnx for telling me..
ppl were joining my server all the time last night becus someone was ruining yurs tw server enesce
i closed it already!
Any good other variants?

Offline KeFear

  • Soldier
  • **
  • Posts: 181
  • ARSSE Creator
Re: ARSSE vulnerbility
« Reply #7 on: April 22, 2007, 10:20:04 am »
Ok, thanks for reporting this. I'm working on ARSSE to fix this. I've uploaded a fix that solves the 'if $MESSAGE' bug for now. Expect the /commands fix hopefuly this evening. I can't embed CRLF into chat at the moment to imitate the bug yet.
« Last Edit: April 22, 2007, 10:21:59 am by KeFear »

Offline mar77a

  • Global Moderator
  • Veteran
  • *****
  • Posts: 1295
  • mad
    • random stuffs
Re: ARSSE vulnerbility
« Reply #8 on: April 22, 2007, 07:00:45 pm »
This has nothing to do with Soldat or BattlEye, it's a hole in (the) ARSSE.
« Last Edit: April 22, 2007, 08:22:21 pm by mar77a »

Offline Zamorak

  • Camper
  • ***
  • Posts: 475
Re: ARSSE vulnerbility
« Reply #9 on: April 22, 2007, 07:42:00 pm »
it's a hole in ARSSE.

No pun intended :P
ZamoraK |2Wai|

Offline mar77a

  • Global Moderator
  • Veteran
  • *****
  • Posts: 1295
  • mad
    • random stuffs
Re: ARSSE vulnerbility
« Reply #10 on: April 22, 2007, 08:22:32 pm »
 ;)

Offline ChiefBlackFoot

  • Major(1)
  • Posts: 13
Re: ARSSE hole
« Reply #11 on: April 22, 2007, 08:48:25 pm »
KeFear and I tested some crap and I gave him suggestions to fix it all up 100%.  Now everything is fine and all bugs are fixed, except for the REFRESHX admin client freezing bug.

ChrisGBK can help him fix that since I know nothing about delphi and its TCP sockets.

It was a combination of soldat server not filtering out end of lines and ARSSE reading and writing TCP packets.  The blame can't really fall on either party.  KeFear did the best job he could with the admin protocol, which has a tendency to make TCP packets "stick" together.  It makes it necessary to parse them using the end of lines.

However I have talked to EnEsCe as well about various bugs that could be used to obtain admin access, such as the /adminlog command spying which was used by me and Chrisgbk to find the admin password of EnEsCe's servers.  ( Chris wanna play the adminlog game?  :) )  But he didn't think it was as important, and he is right in that regard, since it is not easy and must be timed perfectly.

-coyote

Offline Mr. Domino

  • Flagrunner
  • ****
  • Posts: 969
  • Don't just sit there and waste your precious time.
    • XBLIG.co
Re: ARSSE vulnerbility
« Reply #12 on: April 22, 2007, 09:04:37 pm »
Would it simply be possible to disable admin adding commands entirely so that this can't be an issue? Let admins be added via control panels or via FTP.

Offline ChiefBlackFoot

  • Major(1)
  • Posts: 13
Re: ARSSE vulnerbility
« Reply #13 on: April 22, 2007, 09:15:14 pm »
doesn't work anymore anyway.

it is relatively safe now.
/admip could only be executed when the ARSSE client had a script that said "/say $PLAYER_NAME"

by the way domino, all apologies for the server deal.  just proving a concept.

Offline mar77a

  • Global Moderator
  • Veteran
  • *****
  • Posts: 1295
  • mad
    • random stuffs
Re: ARSSE vulnerbility
« Reply #14 on: April 22, 2007, 09:20:20 pm »
Would it simply be possible to disable admin adding commands entirely so that this can't be an issue? Let admins be added via control panels or via FTP.

I think that if you leave the Admin_Password= field blank it won't spawn the admin-connection thread.

Offline PiMPUS1337

  • Major(1)
  • Posts: 15
  • Still not banned...
Re: ARSSE vulnerbility
« Reply #15 on: April 22, 2007, 09:37:35 pm »
Yeah, I think somebody set !Elite Modern Combat as max 32 players, Rambo Match, and put about 20 bots in there.

Offline FliesLikeABrick

  • Administrator
  • Flamebow Warrior
  • *****
  • Posts: 6144
    • Ultimate 13 Soldat
Re: ARSSE vulnerbility
« Reply #16 on: April 22, 2007, 10:06:49 pm »
Would it simply be possible to disable admin adding commands entirely so that this can't be an issue? Let admins be added via control panels or via FTP.

stop using ARSSE and you're safe. until either 1) there's a new version of ARSSE out or 2) 1.4 is out

Offline EnEsCe

  • Retired Soldat Developer
  • Flamebow Warrior
  • ******
  • Posts: 3101
  • http://enesce.com/
    • [eC] Official Website
Re: ARSSE vulnerbility
« Reply #17 on: April 22, 2007, 10:17:38 pm »
Just do what I did, open soldatserver in a HEX editor and search/replace "adminlog" with something else but the same length like "logadmin" or "4dm1nl0g", then to login they have to know what its been changed to.

Offline FliesLikeABrick

  • Administrator
  • Flamebow Warrior
  • *****
  • Posts: 6144
    • Ultimate 13 Soldat
Re: ARSSE vulnerbility
« Reply #18 on: April 22, 2007, 10:32:17 pm »
Just do what I did, open soldatserver in a HEX editor and search/replace "adminlog" with something else but the same length like "logadmin" or "4dm1nl0g", then to login they have to know what its been changed to.

but doesn't that violate the EULA of Soldat? :P

Offline mxyzptlk

  • Veteran
  • *****
  • Posts: 1493
  • The Panda Ninja
Re: ARSSE vulnerbility
« Reply #19 on: April 22, 2007, 10:33:56 pm »
Old habits die hard, eh, EnEsCe?

"While preceding your entrance with a grenade is a good tactic in
Quake, it can lead to problems if attempted at work." -- C Hacking