Someone already did an analysis of the module and shared their findings
with me. The exploit being used looks like a critical issue with the
net_file blacklist, and so it potentially affects all games (nearly
complete filesystem access with the net_file command).
On 4/18/2014 9:42 PM, wickedplayer494 wrote:
Probably just GMod. Gonna keep an eye on one of the other Lua-based
games I used to play just in case.
On 4/18/2014 10:40 PM, Weasels Lair wrote:
Does this only effect Garry's Mod? or anything with LUA? I seem to
recall Fortress Forever using LUA underneath? Not that anybody plays
that any more. Just an example.
On Fri, Apr 18, 2014 at 8:37 PM, Ryan Kistner <[email protected]
<mailto:[email protected]>> wrote:
I've also mirrored the gist since it appears to be have been
taken down:
https://dl.dropboxusercontent.com/u/759758/gistd9872acbf2da227e9281-122b03e8c03fabc15f5acb3b52d5ca0b4baa2360.tar.gz
On Friday, April 18, 2014 9:33:56 PM, Ryan Kistner wrote:
Looking at that thread, it appears that engine_win32.dll has
a working
bypass of the net_file blacklist. If anyone has a sample of
that file
I would be interested in taking a look at it.
A quick look at the provided files (gist:
https://gist.github.com/Chrisaster/d9872acbf2da227e9281)
suggests that:
- Initial infection from client to server is in
client_init.lua, which
downloads server.cfg (looking for the RCON password to
continue the
exploit) and uploads engine_win32.dll
- Once the server runs the server_infect.lua code, it writes back
engine_win32.dll and does a SendLua to install client_init.lua
If you've firewalled off RCON (as you should have) then this
particular version of the exploit won't hurt you. However,
there is
definitely some sort of bypass for the net_file blacklist.
On 4/18/2014 9:11 PM, wickedplayer494 wrote:
http://facepunch.com/showthread.php?t=1386818
If your clients are complaining about "*cough*" spam or
similar
through Steam chat, this is what's causing it. It may be
wise to just
completely kill your server until the Facepunch folks
release an
update to fix this (even though it's 3 AM in the UK), as
it's rumored
that even if rcon/client uploads are disabled, it'll
still work.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives, please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list
archives, please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds
