Author Topic: Advanced Remote Soldat Server Enchanter [v1.2.7] (build 14)  (Read 177929 times)

0 Members and 1 Guest are viewing this topic.

Offline Toumaz

  • Veteran
  • *****
  • Posts: 1906
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #180 on: February 22, 2007, 02:32:18 pm »
I found this link that appears to be working in the main post.

http://legalize.hu/laki/arsse/beta12.zip
« Last Edit: February 24, 2007, 03:08:45 pm by Toumaz »

Offline rumpel

  • Camper
  • ***
  • Posts: 410
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #181 on: February 24, 2007, 03:47:38 pm »
my antivirus said theres a virus in it :o
banned.

Offline chrisgbk

  • Inactive Staff
  • Veteran
  • *****
  • Posts: 1739
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #182 on: February 27, 2007, 07:11:18 am »
How is that a "security" issue? Of course if you have scripts that run off player messages then any player can use them, thats the point of the scripting... BombSki posted the solution to this (admin only commands) directly above your post.

Other solutions include using double if's statements - one that checks player ip/name and the message before acting. If you have a lot of admins or players you want to have special commands for then I would suggest using ESA2 (you can keep a file of vip players ip/name that can use specific commands and have ESA only run the command if the players details match the list criteria. Or use MSAT which had a feature where players could log into a admins running MSAT once they joined a server (with their own password) and you could specify the commands that each player could use in game e.g restart, map change etc.   

You misunderstand the implications of this bug; what this exploit does is it allows EVERYTHING to be executed REGARDLESS of the IF statements around it. On a default install, the practical result is that with one phrase (that I'm not releasing) a player can activate every command at once. What you get would be a spam of ARSSE giving details about the player, and the player rapidly changing teams.

Here is a (censored) log of it being abused:
Quote
(11:45:07) [player] *censored*
(11:45:07) /say Available commands:
(11:45:07) /say !rate - shows your K:D rate
(11:45:07) /say !version - shows ARSSE version
(11:45:07) /say !test - performs test if ARSSE can see you
(11:45:07) /say !time - displays current time
(11:45:07) /say !admin - calls an admin to the server
(11:45:07) /say player's rate: 1.00 P: 65535, D: 65535
(11:45:07) /say ARSSE version 1.2.5b
(11:45:08) /say I can see you player
(11:45:08) /say Current server time is 11:45:07
(11:45:08) /setteam5 7
(11:45:08) player has joined spectators.
(11:45:08) /setteam1 7
(11:45:08) player has joined alpha team.
(11:45:08) /setteam2 7
(11:45:08) player has joined bravo team.
(11:45:08) /say player, your IP is XXX.XXX.XXX.XXX
(11:45:09) /say player, your ping is 166

When someone uses custom scripts, depending on what they do, it is possible for someone to execute statements that aren't meant to be executed.
« Last Edit: February 27, 2007, 08:22:18 am by chrisgbk »

Offline Mr Pink

  • Major(1)
  • Posts: 37
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #183 on: February 27, 2007, 09:37:59 pm »
hmm that does sound concerning. Have you advised Kefear?

Would you mind detailing the bug/phrase in a personal msg...  I would happily keep the details confidential. There are quiet a number of admins including myself using ARSSE in Aussie and NZ to manage servers and I would certainly like to find a work around or advise them of the dangers. You can look us all up at http://www.aussoldat.com/

Offline EnEsCe

  • Retired Soldat Developer
  • Flamebow Warrior
  • ******
  • Posts: 3101
  • http://enesce.com/
    • [eC] Official Website
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #184 on: February 27, 2007, 10:30:24 pm »
Easy fix is to remove everything in your OnPlayerSpeak script file and only use:

Code: [Select]
if $MESSAGE = !admin
RCmsg $PLAYER_NAME requested an admin on $SERVER_IP:$SERVER_PORT!
ADMINMSG $PLAYER_NAME requested an admin on $SERVER_NAME!!
endif

Thats what I use, so when someone does this exploit it pops up with the !admin dialog so I can wack em with a ban hammer.

Offline HEX

  • Major
  • *
  • Posts: 77
  • =tNt=
    • SoldatX Brazilian Community
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #185 on: February 28, 2007, 12:27:53 pm »
Your criptography system is very easy to 'break'... I mean, if somebody steals your admin.ini, even if the hacker doesn't know the admin password, he can hack your server just putting the stolen admin.ini in the place of his admin.ini. That's why I am not using ARSSE anymore :(
« Last Edit: February 28, 2007, 12:31:12 pm by HEX »



Offline chrisgbk

  • Inactive Staff
  • Veteran
  • *****
  • Posts: 1739
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #186 on: March 06, 2007, 06:32:36 pm »
hmm that does sound concerning. Have you advised Kefear?

Would you mind detailing the bug/phrase in a personal msg...  I would happily keep the details confidential. There are quiet a number of admins including myself using ARSSE in Aussie and NZ to manage servers and I would certainly like to find a work around or advise them of the dangers. You can look us all up at http://www.aussoldat.com/

Yes, I have sent a PM to KeFear. Also, I have found a way to exploit it another way, so that OnData commands can also be executed, even if the person isn't an admin.

As for detailing it - sorry, won't release the EXACT way to do it; but I'll say that it's a certain special phrase, and if it ever happens to you you'll know it, because immediately afterwards every line of your script will run.


Here is a way to punish anyone who does it though (ensure your scripts contain nothing that can be abused as it won't stop any existing commands from running)

OnPlayerSpeak:
Code: [Select]
if $MESSAGE = !SomethingPeopleWontEverType
/ban $PLAYER_NUM
endif

There is no way to punish people if they abuse the OnData scripts however, so the safest bet is to ensure that nothing important is a script.

Offline fishfood

  • Major
  • *
  • Posts: 92
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #187 on: March 07, 2007, 06:30:41 pm »
How about adding a function to send an email when a !admin is called?
:)

Offline Mr Pink

  • Major(1)
  • Posts: 37
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #188 on: March 08, 2007, 03:27:00 am »
Yes, I have sent a PM to KeFear.

Good stuff! hopefully things get sorted soon

Offline Mikeman

  • Soldier
  • **
  • Posts: 150
    • Nuke Corruption
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #189 on: March 14, 2007, 02:48:19 am »
Anyone could help me out with ARSSE scripts? I know the ARSSE has some bugs but I wanna use it because it's so easy  :)

Is there a possibility to see who's playing in server by making script to OnIRCMessage.txt and typing !playersctf !playersinf to see the players of some specific server in IRC channel?

If someone could visit #mrp @ quakenet and help me, it would be great  ;)

Thanks in advance!

Offline manowarr

  • Major(1)
  • Posts: 9
  • watch your back
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #190 on: March 31, 2007, 08:28:37 pm »
my antivirus said theres a virus in it :o

yep.. beta12.zip infected with malware trojan.agent

wtf?

Offline KeFear

  • Soldier
  • **
  • Posts: 181
  • ARSSE Creator
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #191 on: April 01, 2007, 02:35:22 pm »
wtf? show me a screen about that antivir finding malware trojan in beta12.zip!


Offline Mikeman

  • Soldier
  • **
  • Posts: 150
    • Nuke Corruption
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #192 on: April 05, 2007, 02:08:54 am »
My antivirus found nothing

Offline Silverflame

  • Soldier
  • **
  • Posts: 182
  • The Last Sniper
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #193 on: April 07, 2007, 02:31:53 am »

I have mad skills, don't you?

Offline FliesLikeABrick

  • Administrator
  • Flamebow Warrior
  • *****
  • Posts: 6144
    • Ultimate 13 Soldat
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #194 on: April 08, 2007, 06:46:41 pm »
here's a version I found since there don't appear to be any working links.  I've offered some webspace to kefear since arsse.fracs.net doesn't work anymore and none of the mirrors work.

Offline jrgp

  • Administrator
  • Flamebow Warrior
  • *****
  • Posts: 5036
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #195 on: April 08, 2007, 08:37:31 pm »
None of the mirrors work?

This one always does: http://soldat.jrgp.org/file_download.php?id=3

My antivirus found nothing

same

Strange. My AVG Antivirus always finds a trojan in it. It has all of the latest updates.
There are other worlds than these

Offline HEX

  • Major
  • *
  • Posts: 77
  • =tNt=
    • SoldatX Brazilian Community
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #196 on: April 09, 2007, 09:41:27 am »
Yes, I've found a trojan too.
And what about the password criptography?



Offline FliesLikeABrick

  • Administrator
  • Flamebow Warrior
  • *****
  • Posts: 6144
    • Ultimate 13 Soldat
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #197 on: April 09, 2007, 10:23:58 am »
Contact whoever makes your antivirus and send them a link to the file so that they can correct their heuristics and avoid future false-positives

Offline KeFear

  • Soldier
  • **
  • Posts: 181
  • ARSSE Creator
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #198 on: April 10, 2007, 12:01:12 pm »
Okay people, i was quite busy these days/months, so i had no time to work on ARSSE. My host has problems with it's domain name now, so the main link is down, but the IP links should work. This issue will be solved in a few weeks i hope, until that, FliesLikeABrick offered to host ARSSE.
So i will put the app together in a nice zip, so you don't have to play with arsse.zip and beta12.zip anymore + i hope i can fix the notorious script-abuse problem. (I'm a bit ill now, so i hope i will have some time now to work on this project again - few days).

Offline Mikeman

  • Soldier
  • **
  • Posts: 150
    • Nuke Corruption
Re: Advanced Remote Soldat Server Enchanter [v1.2 beta]
« Reply #199 on: April 10, 2007, 11:54:47 pm »
I can also host it at my site, www.mrp-soldat.com. Since I have 1GB space at the host, hosting ARSSE is not a big deal  ;)
I tried to download the zip but it doesn't work for me  :-\
« Last Edit: April 10, 2007, 11:58:14 pm by Mikeman »